Main Vulnerability Database SB2018011707

SB2018011707 - Multiple vulnerabilities in Oracle Financial Services Applications

Published: January 17, 2018

Security Bulletin ID SB2018011707

Severity

Medium

Patch available

YES

Number of vulnerabilities 34

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 34 secuirty vulnerabilities.

1) Security restrictions bypass (CVE-ID: CVE-2018-2592)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Balance Sheet Planning User Interface component. A remote attacker can access and modify data.

2) Information disclosure (CVE-ID: CVE-2018-2614)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Infrastructure component. A remote attacker can access important data.

3) Security restrictions bypass (CVE-ID: CVE-2018-2626)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Balance Sheet Planning User Interface component. A remote attacker can partially access and partially modify data.

4) Security restrictions bypass (CVE-ID: CVE-2018-2630)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Security Management System component. A remote attacker can partially access and partially modify data.

5) Privilege escalation (CVE-ID: CVE-2018-2648)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Infrastructure component. A remote attacker can gain administrative privileges.

6) Denial of service (CVE-ID: CVE-2018-2649)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to a flaw in the Oracle FLEXCUBE Universal Banking Infrastructure component. A remote attacker can modify data and cause denial of service conditions.

7) Security restrictions bypass (CVE-ID: CVE-2018-2660)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Analytical Applications Infrastructure Core component. A remote attacker can partially access data, partially modify data, and partially deny service.

8) Security restrictions bypass (CVE-ID: CVE-2018-2661)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Analytical Applications Infrastructure Core component. A remote attacker can partially access and partially modify data.

9) Security restrictions bypass (CVE-ID: CVE-2018-2670)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Profitability Management User Interface component. A remote attacker can partially access and partially modify data.

10) Security restrictions bypass (CVE-ID: CVE-2018-2674)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle FLEXCUBE Direct Banking Logoff component. A remote attacker can partially access and partially modify data.

11) Security restrictions bypass (CVE-ID: CVE-2018-2679)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Profitability Management User Interface component. A remote attacker can access and modify data.

12) Security restrictions bypass (CVE-ID: CVE-2018-2682)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Liquidity Risk Management User Interface component. A remote attacker can partially access and partially modify data.

13) Security restrictions bypass (CVE-ID: CVE-2018-2692)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Asset Liability Management User Interface component. A remote attacker can partially access and partially modify data.

14) Denial of service (CVE-ID: CVE-2018-2704)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to a flaw in the Oracle Banking Payments Payments Core component. A remote attacker can modify data and cause denial of service conditions.

15) Privilege escalation (CVE-ID: CVE-2018-2705)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to a flaw in the Oracle Banking Payments Payments Core component. A remote attacker can gain administrative privileges.

16) Privilege escalation (CVE-ID: CVE-2018-2706)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The weakness exists due to a flaw in the Oracle Banking Corporate Lending Core module component. A remote attacker can gain administrative privileges.

17) Denial of service (CVE-ID: CVE-2018-2707)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to a flaw in the Oracle Banking Corporate Lending Core module component. A remote attacker can modify data and cause denial of service conditions.

18) Information disclosure (CVE-ID: CVE-2018-2708)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a flaw in the Oracle Banking Payments Payments Core component. A remote attacker can access important data.

19) Information disclosure (CVE-ID: CVE-2018-2709)

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to a flaw in the Oracle Banking Corporate Lending Core module component. A remote attacker can access important data.

20) Security restrictions bypass (CVE-ID: CVE-2018-2712)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Loan Loss Forecasting and Provisioning User Interface component. A remote attacker can partially access and partially modify data.

21) Security restrictions bypass (CVE-ID: CVE-2018-2714)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Market Risk User Interface component. A remote attacker can partially access and partially modify data.

22) Security restrictions bypass (CVE-ID: CVE-2018-2716)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Market Risk Measurement and Management User Interface component. A remote attacker can partially access and partially modify data.

23) Security restrictions bypass (CVE-ID: CVE-2018-2719)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Hedge Management and IFRS Valuations User Interface component. A remote attacker can partially access and partially modify data.

24) Security restrictions bypass (CVE-ID: CVE-2018-2720)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Liquidity Risk Management User Interface component. A remote attacker can access and modify data.

25) Security restrictions bypass (CVE-ID: CVE-2018-2721)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Price Creation and Discovery User Interface component. A remote attacker can access and modify data.

26) Security restrictions bypass (CVE-ID: CVE-2018-2722)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Price Creation and Discovery User Interface component. A remote attacker can partially access and partially modify data.

27) Security restrictions bypass (CVE-ID: CVE-2018-2723)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Asset Liability Management User Interface component. A remote attacker can access and modify data.

28) Security restrictions bypass (CVE-ID: CVE-2018-2724)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Loan Loss Forecasting and Provisioning User Interface component. A remote attacker can access and modify data.

29) Security restrictions bypass (CVE-ID: CVE-2018-2725)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Hedge Management and IFRS Valuations User Interface component. A remote attacker can access and modify data.

30) Security restrictions bypass (CVE-ID: CVE-2018-2726)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Market Risk User Interface component. A remote attacker can access and modify data.

31) Security restrictions bypass (CVE-ID: CVE-2018-2727)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Market Risk Measurement and Management User Interface component. A remote attacker can access and modify data.

32) Security restrictions bypass (CVE-ID: CVE-2018-2728)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Funds Transfer Pricing User Interface component. A remote attacker can partially access and partially modify data.

33) Security restrictions bypass (CVE-ID: CVE-2018-2729)

The vulnerability allows a remote authenticated attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Funds Transfer Pricing User Interface component. A remote attacker can access and modify data.

34) Security restrictions bypass (CVE-ID: CVE-2018-2732)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to a flaw in the Oracle Financial Services Analytical Applications Reconciliation Framework User Interface component. A remote attacker can partially access and partially modify data.

Remediation

Install update from vendor's website.

References

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html