-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2022.0221
             Oracle Retail Applications Critical Patch Update
                              19 October 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Oracle Retail Assortment Planning
                  Oracle Retail Back Office
                  Oracle Retail Central Office
                  Oracle Retail Customer Insights
                  Oracle Retail EFTLink
                  Oracle Retail Fiscal Management
                  Oracle Retail Merchandising System
                  Oracle Retail Point Of Service
                  Oracle Retail Predictive Application Server
                  Oracle Retail Returns Management
                  Oracle Retail Sales Audit
                  Oracle Retail Service Backbone
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Resolution:       Patch/Upgrade
CVE Names:        CVE-2022-29577 CVE-2022-25647 CVE-2022-23437
                  CVE-2022-23305 CVE-2022-22971 CVE-2022-2048
                  CVE-2021-43859 CVE-2021-41184 CVE-2021-36374
                  CVE-2021-29425 CVE-2021-28490 CVE-2020-36518
                  CVE-2020-6950  

Comment: CVSS (Max):  9.8* CVE-2022-23305 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: [Oracle], NVD
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OVERVIEW

        Multiple vulnerabilities have been identified in :
         o Oracle Retail Assortment Planning, version 16.0.3
         o Oracle Retail Back Office, version 14.1
         o Oracle Retail Central Office, version 14.1
         o Oracle Retail Customer Insights, versions 15.0.2, 15.2, 16.0.2
         o Oracle Retail Customer Management and Segmentation Foundation,
           versions 17.0, 18.0, 19.0
         o Oracle Retail EFTLink, versions 20.0.1, 21.0.0
         o Oracle Retail Fiscal Management, version 14.2
         o Oracle Retail Merchandising System, versions 14.1.3.2,
           15.0.3.1, 19.0.1
         o Oracle Retail Point Of Service, version 14.1
         o Oracle Retail Predictive Application Server, versions
           14.1.3.47, 15.0.3.116, 16.0.3.260
         o Oracle Retail Returns Management, version 14.1
         o Oracle Retail Sales Audit, version 19.0.1
         o Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1,
           16.0.3
        [1]


IMPACT

        The vendor has provided the following information regarding the
        vulnerabilities:
        
        "This Critical Patch Update contains 27 new security patches for
        Oracle Retail Applications. 21 of these vulnerabilities may be
        remotely exploitable without authentication, i.e., may be exploited
        over a network without requiring user credentials." [1]
        
        "CVE-2022-23305
         9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        The supported version that is affected is 14.2. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Retail Fiscal Management. Successful
        attacks of this vulnerability can result in takeover of Oracle Retail
        Fiscal Management.
         Affects:
         o Oracle Retail Fiscal Management 14.2
        
        CVE-2021-28490
         8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
        Supported versions that are affected are 18.0 and 19.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Retail Customer
        Management and Segmentation Foundation. Successful attacks require
        human interaction from a person other than the attacker. Successful
        attacks of this vulnerability can result in takeover of Oracle Retail
        Customer Management and Segmentation Foundation.
         Affects:
         o Oracle Retail Customer Management and Segmentation Foundation
           18.0, 19.0
        
        CVE-2021-43859
         7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 15.0.2 and 16.0.2. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Retail Customer
        Insights. Successful attacks of this vulnerability can result in
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Retail Customer Insights.
         Affects:
         o Oracle Retail Customer Insights 15.0.2, 16.0.2
        
        CVE-2022-25647
         7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 17.0, 18.0 and 19.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Retail Customer
        Management and Segmentation Foundation. Successful attacks of this
        vulnerability can result in unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Oracle Retail Customer
        Management and Segmentation Foundation.
         Affects:
         o Oracle Retail Customer Management and Segmentation Foundation
           17.0, 18.0, 19.0
         o Oracle Retail EFTLink 20.0.1, 21.0.0
        
        CVE-2022-2048
         7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 20.0.1 and 21.0.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Retail EFTLink.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Retail EFTLink.
         Affects:
         o Oracle Retail EFTLink 20.0.1, 21.0.0
        
        CVE-2020-36518
         7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        The supported version that is affected is 15.0.3.1. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Retail Merchandising
        System. Successful attacks of this vulnerability can result in
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Retail Merchandising System.
         Affects:
         o Oracle Retail Merchandising System 15.0.3.1
         o Oracle Retail Service Backbone 14.1.3.2, 15.0.3.1, 16.0.3
        
        CVE-2022-22971
         6.5 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
        The supported version that is affected is 16.0.3. Easily exploitable
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Retail Assortment Planning. Successful
        attacks of this vulnerability can result in unauthorized ability to
        cause a hang or frequently repeatable crash (complete DOS) of Oracle
        Retail Assortment Planning.
         Affects:
         o Oracle Retail Assortment Planning 16.0.3
         o Oracle Retail Customer Insights 15.0.2, 16.0.2
         o Oracle Retail Merchandising System 19.0.1
         o Oracle Retail Predictive Application Server 14.1.3.47,
           15.0.3.116, 16.0.3.260
        
        CVE-2022-23437
         6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
        The supported version that is affected is 14.1. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Retail Back Office. Successful attacks
        require human interaction from a person other than the attacker.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Retail Back Office.
         Affects:
         o Oracle Retail Back Office 14.1
         o Oracle Retail Central Office 14.1
         o Oracle Retail Fiscal Management 14.2
         o Oracle Retail Point Of Service 14.1
         o Oracle Retail Returns Management 14.1
        
        CVE-2020-6950
         6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
        Supported versions that are affected are 15.0.2 and 16.0.2. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Retail Customer
        Insights. Successful attacks require human interaction from a person
        other than the attacker. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Oracle Retail Customer Insights accessible data.
         Affects:
         o Oracle Retail Customer Insights 15.0.2, 16.0.2
        
        CVE-2022-29577
         6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        The supported version that is affected is 14.1. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Retail Back Office. Successful attacks
        require human interaction from a person other than the attacker and
        while the vulnerability is in Oracle Retail Back Office, attacks may
        significantly impact additional products (scope change). Successful
        attacks of this vulnerability can result in unauthorized update,
        insert or delete access to some of Oracle Retail Back Office
        accessible data as well as unauthorized read access to a subset of
        Oracle Retail Back Office accessible data.
         Affects:
         o Oracle Retail Back Office 14.1
         o Oracle Retail Central Office 14.1
         o Oracle Retail Returns Management 14.1
        
        CVE-2021-41184
         6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        The supported version that is affected is 14.1. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Retail Back Office. Successful attacks
        require human interaction from a person other than the attacker and
        while the vulnerability is in Oracle Retail Back Office, attacks may
        significantly impact additional products (scope change). Successful
        attacks of this vulnerability can result in unauthorized update,
        insert or delete access to some of Oracle Retail Back Office
        accessible data as well as unauthorized read access to a subset of
        Oracle Retail Back Office accessible data.
         Affects:
         o Oracle Retail Back Office 14.1
         o Oracle Retail Central Office 14.1
         o Oracle Retail Returns Management 14.1
        
        CVE-2021-36374
         5.5 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
        The supported version that is affected is 14.1.3.2. Easily
        exploitable vulnerability allows unauthenticated attacker with logon
        to the infrastructure where Oracle Retail Merchandising System
        executes to compromise Oracle Retail Merchandising System. Successful
        attacks require human interaction from a person other than the
        attacker. Successful attacks of this vulnerability can result in
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Retail Merchandising System.
         Affects:
         o Oracle Retail Merchandising System 14.1.3.2
         o Oracle Retail Sales Audit 19.0.1
        
        CVE-2021-29425
         4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
        Supported versions that are affected are 15.02 and 16.0.2. Difficult
        to exploit vulnerability allows unauthenticated attacker with network
        access via HTTP to compromise Oracle Retail Customer Insights.
        Successful attacks of this vulnerability can result in unauthorized
        update, insert or delete access to some of Oracle Retail Customer
        Insights accessible data as well as unauthorized read access to a
        subset of Oracle Retail Customer Insights accessible data.
         Affects:
         o Oracle Retail Customer Insights 15.02, 16.0.2" [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle strongly
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of
        successful attack by blocking network protocols required by an
        attack. For attacks that require certain privileges or access to
        certain packages, removing the privileges or the ability to access
        the packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may break
        application functionality, so Oracle strongly recommends that
        customers test changes on non-production systems. Neither approach
        should be considered a long-term solution as neither corrects the
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2022
            https://www.oracle.com/security-alerts/cpuoct2022.html

        [2] Text Form of Oracle Critical Patch Update - October 2022 Risk
            Matrices
            https://www.oracle.com/security-alerts/cpuoct2022verbose.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY0+TKckNZI30y1K9AQgf2A/9FyI9/REViHj+ncg4Dg2xt/vv/7BMKdUK
+oyaVeu3JabqAWfKJ9/tv7vmw1YAPp7s6Y4O0isKoqbmB0bE8InLSnvpeeie4a0d
chUxG4eoDioSsG79vLrzFkNZih+8yp6zpRdACmDdovRcc8V0JMv8SXCuBFEGYIAD
q5mwJHdhwIPCDB/3kcSw91M29vGavjgX7bD6zadgKtxh4Ge6ewGRFywKlf2eRTWk
Ro4Zo4wpAiq3YB+X+k70uHDw/k+ob/i8VSEfvmo+O6h38RTH+/+6xhSvl/lhoqXQ
ViepTfqMwZL3o2Y2HooVDf1xVXvJDnvNhFS/rjG+QLpNKlDTXM25lgEx0R57CiEZ
Gfw3L5/zpjgB0xAe6cw4ci3M3NTDMMnhBMVFgYUqdXs8118CSeHF7tLPSLGc5+an
6qax3eFW5EsHBgfL4Op/xMAhp/kzsrjE1c3s4IKPC5r8avd0LE3L0cbOI6Od9mjI
OIKjbCB/w8x73Sehc0e28+E2lnXB9zr3h1hWvaQzpXKUEQ9yDa9EEWXCoBHx1cBc
Y7H+YPi8Oea9uY1//QCuF2665eChGDgcoASX2CJNbM8HlaJ4qZyoBqntcjXzex+I
yEvaEJKuqOfw1J+1hfJBEfG3NObzkRdoJESCD5t17k4b17d1nBYua4hQnYwSDY8l
sHgjrZUDayg=
=0t2t
-----END PGP SIGNATURE-----