Multiple vulnerabilities in Oracle Financial Services Applications
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2018-2746 CVE-2018-2747 CVE-2018-2748 CVE-2018-2749 CVE-2018-2807 CVE-2018-2854 CVE-2018-2855 CVE-2018-2856 CVE-2018-2859 CVE-2018-7489 |
| CWE-ID | CWE-264 CWE-502 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Banking Corporate Lending Web applications / Remote management & hosting panels Oracle Financial Services Basel Regulatory Capital Basic Web applications / Remote management & hosting panels Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach Web applications / Remote management & hosting panels Oracle FLEXCUBE Core Banking Client/Desktop applications / Other client software Oracle Financial Services Hedge Management and IFRS Valuations Client/Desktop applications / Other client software Oracle Financial Services Market Risk Measurement and Management Client/Desktop applications / Other client software Oracle Financial Services Analytical Applications Infrastructure Other software / Other software solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Security restrictions bypass
EUVDB-ID: #VU11964
Risk: Low
CVSSv4.0: 5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2746
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data and unauthorized update, insert or delete access to some of Oracle Banking Corporate Lending accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Banking Corporate Lending: 12.3.0 - 14.0
CPE2.3- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.5.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU11965
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2747
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Banking Corporate Lending: 12.3.0 - 14.0
CPE2.3- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.5.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Security restrictions bypass
EUVDB-ID: #VU11966
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2748
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Banking Corporate Lending accessible data and gain unauthorized read access to a subset of Oracle Banking Corporate Lending accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Banking Corporate Lending: 12.3.0 - 14.0
CPE2.3- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.5.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Security restrictions bypass
EUVDB-ID: #VU11969
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2749
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Banking Corporate Lending accessible data and gain unauthorized read access to a subset of Oracle Banking Corporate Lending accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Banking Corporate Lending: 12.3.0 - 14.0
CPE2.3- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_banking_corporate_lending:12.5.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security restrictions bypass
EUVDB-ID: #VU11971
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2807
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle FLEXCUBE Core Banking component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle FLEXCUBE Core Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Core Banking accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Core Banking: 11.5.0 - 11.7.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_core_banking:11.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_core_banking:11.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_core_banking:11.7.0:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Security restrictions bypass
EUVDB-ID: #VU11976
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2854
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Financial Services Basel Regulatory Capital Basic component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Financial Services Basel Regulatory Capital Basic accessible data and gain unauthorized read access to a subset of Oracle Financial Services Basel Regulatory Capital Basic accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Financial Services Basel Regulatory Capital Basic: 8.0.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Security restrictions bypass
EUVDB-ID: #VU11978
Risk: Low
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2855
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Financial Services Basel Regulatory Capital Basic component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Financial Services Basel Regulatory Capital Basic accessible data and gain unauthorized access to critical data or complete access to all Oracle Financial Services Basel Regulatory Capital Basic accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Financial Services Basel Regulatory Capital Basic: 8.0.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security restrictions bypass
EUVDB-ID: #VU11979
Risk: Low
CVSSv4.0: 6.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2856
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data and gain unauthorized access to critical data or complete access to all Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach: 8.0.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Security restrictions bypass
EUVDB-ID: #VU11980
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-2859
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists in the Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data and gain unauthorized read access to a subset of Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data.
Install update from vendor's website.
Vulnerable software versionsOracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach: 8.0.0
CPE2.3 External linkshttps://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Deserialization of untrusted data
EUVDB-ID: #VU11268
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-7489
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to bypass security restrictions and execute arbitrary code on the target system.
The weakness exists in the readValue method due to improper validation of user-input. A remote attacker can send malicious JSON input, bypass security restrictions and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsOracle Financial Services Analytical Applications Infrastructure: 8.0.0 - 8.0.5
Oracle Financial Services Hedge Management and IFRS Valuations: 8.0.4 - 8.0.5
Oracle Financial Services Market Risk Measurement and Management: 8.0.5
CPE2.3- cpe:2.3:a:oracle:oracle_financial_services_analytical_applications_infrastructure:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_financial_services_analytical_applications_infrastructure:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_financial_services_analytical_applications_infrastructure:8.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_financial_services_hedge_management_and_ifrs_valuations:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_financial_services_hedge_management_and_ifrs_valuations:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*
https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
