-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2021.0153
         Oracle Construction and Engineering Critical Patch Update
                               21 July 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Instantis EnterpriseTrack
                  Primavera Gateway
                  Primavera P6 Enterprise Project Portfolio Management
                  Primavera Unifier
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                  Denial of Service               -- Remote/Unauthenticated
                  Access Confidential Data        -- Remote/Unauthenticated
                  Modify Arbitrary Files          -- Existing Account      
                  Read-only Data Access           -- Existing Account      
Resolution:       Patch/Upgrade
CVE Names:        CVE-2021-27906 CVE-2021-25122 CVE-2021-21409
                  CVE-2021-2386 CVE-2021-2366 CVE-2020-25649
                  CVE-2020-8203 CVE-2020-5258 CVE-2019-17195
Reference:        ASB-2021.0152
                  ASB-2021.0139
                  ASB-2021.0083

OVERVIEW

        Multiple vulnerabilities have been identified in :
         o Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
         o Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.11,
           19.12.0-19.12.10, 20.12.0
         o Primavera P6 Enterprise Project Portfolio Management, versions
           17.12.0-17.12.20, 18.8.0-18.8.23, 19.12.0-19.12.14,
           20.12.0-20.12.3
         o Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12
        [1]


IMPACT

        The vendor has provided the following information regarding the
        vulnerabilities:
        
        "This Critical Patch Update contains 10 new security patches for
        Oracle Construction and Engineering. 5 of these vulnerabilities may
        be remotely exploitable without authentication, i.e., may be
        exploited over a network without requiring user credentials." [1]
        
        CVE-2019-17195
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 18.8.0-18.8.11. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Primavera Gateway. Successful
        attacks of this vulnerability can result in takeover of Primavera
        Gateway.
         Affects:
         o Primavera Gateway 18.8.0-18.8.11
        
        CVE-2021-25122
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        Supported versions that are affected are 17.1, 17.2 and 17.3. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Instantis EnterpriseTrack.
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Instantis
        EnterpriseTrack accessible data.
         Affects:
         o Instantis EnterpriseTrack 17.1, 17.2, 17.3
                
        CVE-2020-25649
          3.9 AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
        Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and
        20.12. Easily exploitable vulnerability allows low privileged
        attacker with logon to the infrastructure where Primavera Unifier
        executes to compromise Primavera Unifier. Successful attacks require
        human interaction from a person other than the attacker. Successful
        attacks of this vulnerability can result in unauthorized update,
        insert or delete access to some of Primavera Unifier accessible data
        as well as unauthorized read access to a subset of Primavera Unifier
        accessible data.
         Affects:
         o Primavera Gateway 17.12.0-17.12.11, 18.8.0-18.8.11,
           19.12.0-19.12.10, 20.12.0
         o Primavera Unifier 17.7-17.12, 18.8, 19.12, 20.12
        
        CVE-2020-8203
          7.4 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H
        Supported versions that are affected are 17.12.0-17.12.11,
        18.8.0-18.8.11, 19.12.0-19.12.10 and 20.12.0. Difficult to exploit
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Primavera Gateway. Successful attacks of this
        vulnerability can result in unauthorized creation, deletion or
        modification access to critical data or all Primavera Gateway
        accessible data and unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Primavera Gateway.
         Affects:
         o Primavera Gateway 17.12.0-17.12.11, 18.8.0-18.8.11,
           19.12.0-19.12.10, 20.12.0
        
        CVE-2021-2366
          6.4 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
        Supported versions that are affected are 17.12.0-17.12.20,
        18.8.0-18.8.23, 19.12.0-19.12.14 and 20.12.0-20.12.3. Easily
        exploitable vulnerability allows low privileged attacker with network
        access via HTTP to compromise Primavera P6 Enterprise Project
        Portfolio Management. While the vulnerability is in Primavera P6
        Enterprise Project Portfolio Management, attacks may significantly
        impact additional products. Successful attacks of this vulnerability
        can result in unauthorized update, insert or delete access to some of
        Primavera P6 Enterprise Project Portfolio Management accessible data
        as well as unauthorized read access to a subset of Primavera P6
        Enterprise Project Portfolio Management accessible data.
         Affects:
         o Primavera P6 Enterprise Project Portfolio Management
           17.12.0-17.12.20, 18.8.0-18.8.23, 19.12.0-19.12.14,
           20.12.0-20.12.3
        
        CVE-2021-21409
          5.9 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
        Supported versions that are affected are 17.12.0-17.12.11,
        18.8.0-18.8.11 and 19.12.0-19.12.10. Difficult to exploit
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Primavera Gateway. Successful attacks of this
        vulnerability can result in unauthorized creation, deletion or
        modification access to critical data or all Primavera Gateway
        accessible data.
         Affects:
         o Primavera Gateway 17.12.0-17.12.11, 18.8.0-18.8.11,
           19.12.0-19.12.10
        
        CVE-2021-27906
          5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
        Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and
        20.12. Easily exploitable vulnerability allows unauthenticated
        attacker with logon to the infrastructure where Primavera Unifier
        executes to compromise Primavera Unifier. Successful attacks require
        human interaction from a person other than the attacker. Successful
        attacks of this vulnerability can result in unauthorized ability to
        cause a hang or frequently repeatable crash (complete DOS) of
        Primavera Unifier.
         Affects:
         o Primavera Unifier 17.7-17.12, 18.8, 19.12, 20.12
        
        CVE-2021-2386
          4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
        Supported versions that are affected are 20.12.0-20.12.3. Easily
        exploitable vulnerability allows low privileged attacker with network
        access via HTTP to compromise Primavera P6 Enterprise Project
        Portfolio Management. Successful attacks of this vulnerability can
        result in unauthorized read access to a subset of Primavera P6
        Enterprise Project Portfolio Management accessible data.
         Affects:
         o Primavera P6 Enterprise Project Portfolio Management
           20.12.0-20.12.3
        
        CVE-2020-5258
          4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
        Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and
        20.12. Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Primavera
        Unifier. Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of Primavera
        Unifier accessible data.
         Affects:
         o Primavera Unifier 17.7-17.12, 18.8, 19.12, 20.12
        


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle strongly
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of
        successful attack by blocking network protocols required by an
        attack. For attacks that require certain privileges or access to
        certain packages, removing the privileges or the ability to access
        the packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may break
        application functionality, so Oracle strongly recommends that
        customers test changes on non-production systems. Neither approach
        should be considered a long-term solution as neither corrects the
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2021
            https://www.oracle.com/security-alerts/cpujul2021.html

        [2] Text Form of Oracle Critical Patch Update - July 2021 Risk Matrices
            https://www.oracle.com/security-alerts/cpujul2021verbose.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYPerDuNLKJtyKPYoAQid0A//YmWIsiAFH3U1kHLCTGtViV2Kgz0k9wwl
YicL95jO2FpUx5yurzxT2x5T6fcA8+S9zAMYSt2wUVaCsuF8Bcy85SrIP6NvaUUp
li2UJVl6IzMJiU9t1Rlh+ohXcGm9xSEJuegf4gQaaat/+4g7dWWEK3ougLL495+2
Vots7h3XbzzNQI3Wnu0zPf606wVGHP1MF5VwRElBoq/pyeYc0sqgyDgAmCA2txZE
/q99Nfoaspf/Z4Y9CsPXEZn5QPP9qNdEsnMlnf6PQEktOSPgEXW4fy8Lxx7iHx5F
fPfRM+qElti1QPyIyxxk/RP+xac41enq14kOPD8IhfsCn6DDLzQ+0lTiR7iHsC8a
rfEaA01RqruCaPCp/rmN0xcD0iZNqokb1inL+X1Zxze8d1Lzi7Bsj1ki6olx89zV
3GOOp3133ywZLQ3nHlnSBHvosVctdelbOjpG3euuHsnHmUEBEDi1byEu5Nm587+y
Il8tQvMHz+zzOLd8DU0EJn2SmVGk5JcJozQ1IGtG3t9IVUSqeEcKGfukV6t4YeeV
dxpj94J9xcgnNG7cxhwWfheLc3HDORdFL9K+3gSXZZ8Ia8n/EO8SI9BYGohB2Lve
gDW5Up5vjVP8w1Tg832H2HjmR2DVhtJSntmGE2smE2a6DOQb/NVdGg2h5oAMQskE
rwZJpXaZaEo=
=4Poz
-----END PGP SIGNATURE-----