Multiple vulnerabilities in Oracle Financial Services Crime and Compliance Management Studio



Published: 2022-07-20
Risk High
Patch available YES
Number of vulnerabilities 16
CVE-ID CVE-2021-34429
CVE-2022-24823
CVE-2022-22971
CVE-2022-23437
CVE-2022-23181
CVE-2021-23337
CVE-2020-7712
CVE-2021-37714
CVE-2020-36518
CVE-2022-25647
CVE-2021-38296
CVE-2021-36090
CVE-2020-9492
CVE-2022-22978
CVE-2018-1273
CVE-2021-41303
CWE-ID CWE-284
CWE-378
CWE-20
CWE-835
CWE-264
CWE-77
CWE-787
CWE-502
CWE-400
CWE-285
CWE-113
CWE-287
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #14 is available.
Vulnerability #15 is being exploited in the wild.
Vulnerable software
Subscribe
Oracle Financial Services Crime and Compliance Management Studio
Web applications / Other software

Vendor Oracle

Security Bulletin

This security bulletin contains information about 16 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU56964

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-34429

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Creation of Temporary File With Insecure Permissions

EUVDB-ID: #VU62849

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-24823

CWE-ID: CWE-378 - Creation of Temporary File With Insecure Permissions

Exploit availability: No

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to usage of insecure permissions for temporary files. A local user can view contents of temporary files and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Input validation error

EUVDB-ID: #VU63085

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-22971

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Spring application with a STOMP over WebSocket endpoint. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Infinite loop

EUVDB-ID: #VU59965

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-23437

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing XML documents. A remote attacker can supply a specially crafted XML document, consume all available system resources and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Security restrictions bypass

EUVDB-ID: #VU60079

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-23181

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a time of check, time of use flaw when configured to persist sessions using the FileStore. A local user can perform certain actions which lead to security restrictions bypass and privilege escalation (code execution with Tomcat process privileges).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Command Injection

EUVDB-ID: #VU53202

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23337

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to improper input validation when processing templates. A remote privileged user can inject and execute arbitrary commands on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Improper input validation

EUVDB-ID: #VU55238

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-7712

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Reports (Apache ZooKeeper) component in Oracle Financial Services Regulatory Reporting with AgileREPORTER. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Infinite loop

EUVDB-ID: #VU58176

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-37714

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when processing untrusted HTML and XML code. A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Out-of-bounds write

EUVDB-ID: #VU61799

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-36518

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Deserialization of Untrusted Data

EUVDB-ID: #VU64152

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-25647

CWE-ID: CWE-502 - Deserialization of Untrusted Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to insecure input validation when processing serialized data passed to writeReplace() method. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Improper input validation

EUVDB-ID: #VU65470

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-38296

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Studio (Apache Spark) component in Oracle Financial Services Crime and Compliance Management Studio. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Resource exhaustion

EUVDB-ID: #VU54853

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-36090

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing ZIP archives. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Security restrictions bypass

EUVDB-ID: #VU50000

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-9492

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to the way Apache Hadoop handles SPNEGO authorization headers. A remote WebHDFS client can trigger services to send server credentials to a webhdfs path for capturing the service principal.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Improper Authorization

EUVDB-ID: #VU63345

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-22978

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to input validation error when processing untrusted input in applications that are using RegexRequestMatcher with `.` in the regular expression. A remote non-authenticated attacker can bypass authorization checks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) HTTP response splitting

EUVDB-ID: #VU11918

Risk: High

CVSSv3.1:

CVE-ID: CVE-2018-1273

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists due to improper neutralization of special elements. A remote attacker can supply specially crafted request parameters against Spring Data REST backed HTTP resources or use Spring Data's projection-based request payload binding hat and execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

16) Improper Authentication

EUVDB-ID: #VU56683

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-41303

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests, when using Apache Shiro with Spring Boot. A remote attacker can bypass authentication process and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle Financial Services Crime and Compliance Management Studio: 8.0.8.2.0 - 8.0.8.3.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?964481

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###