SB2026060236 - Multiple vulnerabilities in Crucible Data Center and Crucible Server

Description

This security bulletin contains information about 2 vulnerabilities.

1) Deserialization of Untrusted Data (CVE-ID: CVE-2026-27830)

CWE-ID: CWE-502 - Deserialization of Untrusted Data

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to unsafe deserialization in the userOverridesAsString property of c3p0 ConnectionPoolDataSource implementations when processing maliciously crafted Java-serialized objects or javax.naming.Reference instances. A remote user can reset this property or supply crafted serialized objects or references to execute arbitrary code.

The impact can be amplified when embedded JNDI references trigger dereferencing of a remote factoryClassLocation.

2) Improper input validation (CVE-ID: CVE-2026-27727)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Platform Security (Mchange Commons Java) component in Oracle Business Intelligence Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Remediation

Install update from vendor's website.

References

• https://jira.atlassian.com/browse/CRUC-8698
• https://jira.atlassian.com/browse/CRUC-8699