SB2021042523 - Multiple vulnerabilities in Oracle FLEXCUBE Private Banking

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021042523

SB2021042523 - Multiple vulnerabilities in Oracle FLEXCUBE Private Banking

Published: April 25, 2021

Security Bulletin ID SB2021042523
Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 38% Medium 38% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.


1) Memory leak (CVE-ID: CVE-2020-9489)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.


2) Use of insufficiently random values (CVE-ID: CVE-2020-5408)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A remote authenticated attacker can derive the unencrypted values using a dictionary attack.


3) Protection mechanism failure (CVE-ID: CVE-2019-10086)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.


4) Improper input validation (CVE-ID: CVE-2020-5421)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.


5) Operation on a Resource after Expiration or Release (CVE-ID: CVE-2019-17638)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).


6) XML External Entity injection (CVE-ID: CVE-2019-3773)

The vulnerability allows a remote unauthenticated attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can supply a specially crafted input and obtain potentially sensitive information or cause the service to crash


7) Deserialization of Untrusted Data (CVE-ID: CVE-2020-5413)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can abuse built-in feature to serialize gadgets to execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


8) Improper Authentication (CVE-ID: CVE-2020-11998)

The vulnerability allows a remote client to bypass authentication process.

The vulnerability exists due to an error in authentication process, caused by incorrect implementation of protection measures against JMX re-bind attack. A remote attacker can bypass authentication process by passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials.As a result, a remote client can create javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References