SB2018011707 - Multiple vulnerabilities in Oracle Financial Services Applications
Published: January 17, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 34 vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2018-2592)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Balance Sheet Planning User Interface component. A remote attacker can access and modify data.
2) Information disclosure (CVE-ID: CVE-2018-2614)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Infrastructure component. A remote attacker can access important data.
3) Security restrictions bypass (CVE-ID: CVE-2018-2626)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Balance Sheet Planning User Interface component. A remote attacker can partially access and partially modify data.
4) Security restrictions bypass (CVE-ID: CVE-2018-2630)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Security Management System component. A remote attacker can partially access and partially modify data.
5) Privilege escalation (CVE-ID: CVE-2018-2648)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Infrastructure component. A remote attacker can gain administrative privileges.
6) Denial of service (CVE-ID: CVE-2018-2649)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Infrastructure component. A remote attacker can modify data and cause denial of service conditions.
7) Security restrictions bypass (CVE-ID: CVE-2018-2660)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:U/U:Green
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Analytical Applications Infrastructure Core component. A remote attacker can partially access data, partially modify data, and partially deny service.
8) Security restrictions bypass (CVE-ID: CVE-2018-2661)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Analytical Applications Infrastructure Core component. A remote attacker can partially access and partially modify data.
9) Security restrictions bypass (CVE-ID: CVE-2018-2670)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Profitability Management User Interface component. A remote attacker can partially access and partially modify data.
10) Security restrictions bypass (CVE-ID: CVE-2018-2674)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle FLEXCUBE Direct Banking Logoff component. A remote attacker can partially access and partially modify data.
11) Security restrictions bypass (CVE-ID: CVE-2018-2679)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Profitability Management User Interface component. A remote attacker can access and modify data.
12) Security restrictions bypass (CVE-ID: CVE-2018-2682)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Liquidity Risk Management User Interface component. A remote attacker can partially access and partially modify data.
13) Security restrictions bypass (CVE-ID: CVE-2018-2692)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Asset Liability Management User Interface component. A remote attacker can partially access and partially modify data.
14) Denial of service (CVE-ID: CVE-2018-2704)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists due to a flaw in the Oracle Banking Payments Payments Core component. A remote attacker can modify data and cause denial of service conditions.
15) Privilege escalation (CVE-ID: CVE-2018-2705)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The weakness exists due to a flaw in the Oracle Banking Payments Payments Core component. A remote attacker can gain administrative privileges.
16) Privilege escalation (CVE-ID: CVE-2018-2706)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.
The weakness exists due to a flaw in the Oracle Banking Corporate Lending Core module component. A remote attacker can gain administrative privileges.
17) Denial of service (CVE-ID: CVE-2018-2707)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.
The weakness exists due to a flaw in the Oracle Banking Corporate Lending Core module component. A remote attacker can modify data and cause denial of service conditions.
18) Information disclosure (CVE-ID: CVE-2018-2708)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the Oracle Banking Payments Payments Core component. A remote attacker can access important data.
19) Information disclosure (CVE-ID: CVE-2018-2709)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to a flaw in the Oracle Banking Corporate Lending Core module component. A remote attacker can access important data.
20) Security restrictions bypass (CVE-ID: CVE-2018-2712)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Loan Loss Forecasting and Provisioning User Interface component. A remote attacker can partially access and partially modify data.
21) Security restrictions bypass (CVE-ID: CVE-2018-2714)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Market Risk User Interface component. A remote attacker can partially access and partially modify data.
22) Security restrictions bypass (CVE-ID: CVE-2018-2716)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Market Risk Measurement and Management User Interface component. A remote attacker can partially access and partially modify data.
23) Security restrictions bypass (CVE-ID: CVE-2018-2719)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Hedge Management and IFRS Valuations User Interface component. A remote attacker can partially access and partially modify data.
24) Security restrictions bypass (CVE-ID: CVE-2018-2720)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Liquidity Risk Management User Interface component. A remote attacker can access and modify data.
25) Security restrictions bypass (CVE-ID: CVE-2018-2721)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Price Creation and Discovery User Interface component. A remote attacker can access and modify data.
26) Security restrictions bypass (CVE-ID: CVE-2018-2722)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Price Creation and Discovery User Interface component. A remote attacker can partially access and partially modify data.
27) Security restrictions bypass (CVE-ID: CVE-2018-2723)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Asset Liability Management User Interface component. A remote attacker can access and modify data.
28) Security restrictions bypass (CVE-ID: CVE-2018-2724)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Loan Loss Forecasting and Provisioning User Interface component. A remote attacker can access and modify data.
29) Security restrictions bypass (CVE-ID: CVE-2018-2725)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Hedge Management and IFRS Valuations User Interface component. A remote attacker can access and modify data.
30) Security restrictions bypass (CVE-ID: CVE-2018-2726)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Market Risk User Interface component. A remote attacker can access and modify data.
31) Security restrictions bypass (CVE-ID: CVE-2018-2727)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Market Risk Measurement and Management User Interface component. A remote attacker can access and modify data.
32) Security restrictions bypass (CVE-ID: CVE-2018-2728)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Funds Transfer Pricing User Interface component. A remote attacker can partially access and partially modify data.
33) Security restrictions bypass (CVE-ID: CVE-2018-2729)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Funds Transfer Pricing User Interface component. A remote attacker can access and modify data.
34) Security restrictions bypass (CVE-ID: CVE-2018-2732)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to a flaw in the Oracle Financial Services Analytical Applications Reconciliation Framework User Interface component. A remote attacker can partially access and partially modify data.
Remediation
Install update from vendor's website.