SB2019011555 - Multiple vulnerabilities in Oracle Hospitality Cruise Shipboard Property Management System

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2019-2410)

The vulnerability allows a local non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the DGS RES Online, FMS Sender, FMS Receiver, OHC WPF Security component in Oracle Hospitality Cruise Shipboard Property Management System. A local non-authenticated attacker can exploit this vulnerability to read and manipulate data.

2) Improper input validation (CVE-ID: CVE-2019-2409)

The vulnerability allows a local authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the SPMS Suite component in Oracle Hospitality Cruise Shipboard Property Management System. A local authenticated user can exploit this vulnerability to read and manipulate data.

3) Improper input validation (CVE-ID: CVE-2019-2411)

The vulnerability allows a remote authenticated user to damange or delete data.

The vulnerability exists due to improper input validation within the SPMS Suite component in Oracle Hospitality Cruise Shipboard Property Management System. A remote authenticated user can exploit this vulnerability to damange or delete data.

4) Arbitrary code execution (CVE-ID: CVE-2016-5684)

The vulnerability allows a remote unauthenticated user to execute arbitrary code on the target system.
The weakness exists due to buffer overflow caused by processing of malformed XMP or RAW image and allowing attackers to execute arbitrary code.
Successful exploitation of the vulnerability results in arbitrary code execution on the vulnerable system.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpujan2019.html?930454