SB2018041910 - Multiple vulnerabilities in Oracle Financial Services Applications
Published: April 19, 2018 Updated: January 26, 2020
Security Bulletin ID
SB2018041910
Severity
High
Patch available
YES
Number of vulnerabilities
10
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 10 secuirty vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2018-2746)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data and unauthorized update, insert or delete access to some of Oracle Banking Corporate Lending accessible data.
2) Security restrictions bypass (CVE-ID: CVE-2018-2747)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle Banking Corporate Lending accessible data.
3) Security restrictions bypass (CVE-ID: CVE-2018-2748)
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Banking Corporate Lending accessible data and gain unauthorized read access to a subset of Oracle Banking Corporate Lending accessible data.
4) Security restrictions bypass (CVE-ID: CVE-2018-2749)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle Banking Corporate Lending component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Banking Corporate Lending accessible data and gain unauthorized read access to a subset of Oracle Banking Corporate Lending accessible data.
5) Security restrictions bypass (CVE-ID: CVE-2018-2807)
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle FLEXCUBE Core Banking component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle FLEXCUBE Core Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Core Banking accessible data.
6) Security restrictions bypass (CVE-ID: CVE-2018-2854)
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle Financial Services Basel Regulatory Capital Basic component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Financial Services Basel Regulatory Capital Basic accessible data and gain unauthorized read access to a subset of Oracle Financial Services Basel Regulatory Capital Basic accessible data.
7) Security restrictions bypass (CVE-ID: CVE-2018-2855)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle Financial Services Basel Regulatory Capital Basic component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Financial Services Basel Regulatory Capital Basic accessible data and gain unauthorized access to critical data or complete access to all Oracle Financial Services Basel Regulatory Capital Basic accessible data.
8) Security restrictions bypass (CVE-ID: CVE-2018-2856)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data and gain unauthorized access to critical data or complete access to all Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data.
9) Security restrictions bypass (CVE-ID: CVE-2018-2859)
The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.The weakness exists in the Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach component of Oracle Financial Services Applications due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data and gain unauthorized read access to a subset of Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach accessible data.
10) Deserialization of untrusted data (CVE-ID: CVE-2018-7489)
The vulnerability allows a remote unauthenticated attacker to bypass security restrictions and execute arbitrary code on the target system.The weakness exists in the readValue method due to improper validation of user-input. A remote attacker can send malicious JSON input, bypass security restrictions and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.