SB2017041803 - Multiple vulnerabilities in Oracle Financial Services Applications

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017041803

SB2017041803 - Multiple vulnerabilities in Oracle Financial Services Applications

Published: April 18, 2017

Security Bulletin ID SB2017041803
Severity
High
Patch available
YES
Number of vulnerabilities 43
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 2% Medium 2% Low 95%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 43 secuirty vulnerabilities.


1) Security restrictions bypass (CVE-ID: CVE-2017-3495)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle FLEXCUBE Direct Banking component due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain access to a subset of Oracle FLEXCUBE Direct Banking accessible data.

2) Information disclosure (CVE-ID: CVE-2017-3499)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle Social Network component due to improper information control. A remote attacker can gain unauthorized access to critical data or complete access to all accessible data.

3) Improper access control (CVE-ID: CVE-2017-3555)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Oracle iReceivables component due to improper access control. A remote attacker can cause the service to crash.

4) Information disclosure (CVE-ID: CVE-2017-3556)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in the Oracle Application Object Library component due to improper information control. A remote attacker can gain access to potentially sensitive information.

5) Improper access control (CVE-ID: CVE-2017-3230)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information, modify arbitrary data and cause DoS condition on the target system.

The weakness exists in the Oracle Fusion Middleware MapViewer component due to improper access control. A remote attacker can gain access to potentially sensitive information, create, delete or modify arbitrary data and cause the service to crash.

6) Improper access control (CVE-ID: CVE-2017-3528)

The vulnerability allows a remote attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle Applications Framework component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to potentially sensitive information and update, insert or delete arbitrary data.

7) Improper access control (CVE-ID: CVE-2017-3517)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and cause DoS condition on the target system.

The weakness exists in the JD Edwards EnterpriseOne Tools component due to improper access control. A remote attacker can gain access to potentially sensitive information and cause the service to crash.

8) Improper access control (CVE-ID: CVE-2017-3621)

The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.

The weakness exists in the Sun ZFS Storage Appliance Kit (AK) component due to improper access control. A remote attacker can cause the service to crash.

9) Improper access control (CVE-ID: CVE-2017-3625)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle WebCenter Content component due to improper access control. A remote attacker can trick the victim into opening specially crafted input, gain access to critical data or complete access to all accessible data as well as unauthorized update and insert or delete arbitrary files.

10) Improper access control (CVE-ID: CVE-2017-3553)

The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.

The weakness exists to due improper access control. A remote attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

11) Improper access control (CVE-ID: CVE-2017-3547)

The vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.

The weakness exists in the PeopleSoft Enterprise PeopleTools component due to improper access control. A remote attacker can trick the victim into opening specially crafted input, create, delete or modify critical data or all accessible data.

12) Improper access control (CVE-ID: CVE-2017-3549)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information or write arbitrary files on the target system.

The weakness exists in the Oracle Scripting component due to improper access control. A remote attacker can gain access to critical data or complete access to all accessible data and create, delete or modify critical data or all accessible data.

13) Improper access control (CVE-ID: CVE-2017-3550)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle Customer Interaction History component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.

14) Improper access control (CVE-ID: CVE-2017-3337)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle Marketing component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.

15) Improper access control (CVE-ID: CVE-2017-3393)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle Advanced Outbound Telephony component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.

16) Improper access control (CVE-ID: CVE-2017-3432)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in the Oracle One-to-One Fulfillment component due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website, gain access to critical data or complete access to all accessible data and update, insert or delete some accessible data.

17) Improper access control (CVE-ID: CVE-2017-3604)

The vulnerability allows a local unauthenticated attacker to execute arbitrary code on the target system.

The weakness exists in the Data Store component due to improper access control. A local attacker can execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

18) Security restrictions bypass (CVE-ID: CVE-2017-3493)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and cause DoS condition on the target system.

The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and unauthorized ability to partially cause the service to crash.

19) Security restrictions bypass (CVE-ID: CVE-2017-3472)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Private Banking accessible data and gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Private Banking accessible data.

20) Security restrictions bypass (CVE-ID: CVE-2017-3476)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Private Banking accessible data and update, insert or delete access to some of Oracle FLEXCUBE Private Banking accessible data.

21) Security restrictions bypass (CVE-ID: CVE-2017-3485)

The vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.

The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Universal Banking accessible data and cause the service to crash.

22) Information disclosure (CVE-ID: CVE-2017-3491)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

23) Security restrictions bypass (CVE-ID: CVE-2017-3488)

The vulnerability allows a remote authenticated attacker to write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can create, delete or modify critical data or all Oracle FLEXCUBE Investor Servicing accessible data.

24) Information disclosure (CVE-ID: CVE-2017-3534)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can gain unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data.

25) Security restrictions bypass (CVE-ID: CVE-2017-3496)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

26) Security restrictions bypass (CVE-ID: CVE-2017-3492)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

27) Security restrictions bypass (CVE-ID: CVE-2017-3484)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

28) Security restrictions bypass (CVE-ID: CVE-2017-3489)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Investor Servicingaccessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data.

29) Security restrictions bypass (CVE-ID: CVE-2017-3288)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Investor Servicing accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Investor Servicing accessible data.

30) Security restrictions bypass (CVE-ID: CVE-2017-3478)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data.

31) Security restrictions bypass (CVE-ID: CVE-2017-3479)

The vulnerability allows a remote authenticated attacker to write arbitrary files and cause DoS condition on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data and partially cause the service to crash.

32) Security restrictions bypass (CVE-ID: CVE-2017-3482)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file, update, insert or delete some of Oracle FLEXCUBE Universal Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

33) Security restrictions bypass (CVE-ID: CVE-2017-3475)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can partially cause the service to crash.

34) Security restrictions bypass (CVE-ID: CVE-2017-3471)

The vulnerability allows a remote unauthenticated attacker to write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data.

35) Information disclosure (CVE-ID: CVE-2017-3480)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

36) Information disclosure (CVE-ID: CVE-2017-3535)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

37) Information disclosure (CVE-ID: CVE-2017-3494)

The vulnerability allows a remote unauthenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can trick the victim into opening a specially crafted file and gain unauthorized read access to a subset of Oracle FLEXCUBE Universal Banking accessible data.

38) Information disclosure (CVE-ID: CVE-2017-3483)

The vulnerability allows a local authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A local attacker can gain unauthorized read access to critical data and all of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

39) Information disclosure (CVE-ID: CVE-2017-3473)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data.

40) Security restrictions bypass (CVE-ID: CVE-2017-3481)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists in Oracle FLEXCUBE Universal Banking due to improper security restrictions. A remote attacker can partially cause the service to crash.

41) Security restrictions bypass (CVE-ID: CVE-2017-3477)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Private Banking due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Private Banking accessible data and gain unauthorized read access to a subset of Oracle FLEXCUBE Private Banking accessible data.

42) Information disclosure (CVE-ID: CVE-2017-3490)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists in Oracle FLEXCUBE Enterprise Limits and Collateral Management due to improper security restrictions. A remote attacker can gain unauthorized read access to a subset of Oracle FLEXCUBE Enterprise Limits and Collateral Management accessible data.

43) Security restrictions bypass (CVE-ID: CVE-2017-3487)

The vulnerability allows a remote authenticated attacker to write arbitrary files on the target system.

The weakness exists in Oracle FLEXCUBE Investor Servicing due to improper security restrictions. A remote attacker can update, insert or delete some of Oracle FLEXCUBE Investor Servicing accessible data.

Remediation

Install update from vendor's website.

References