Information disclosure in Oracle Financial Services Software



| Updated: 2017-01-04
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2016-5543
CWE-ID CWE-399
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Oracle Financial Services Software
Server applications / Other server solutions

Oracle FLEXCUBE Enterprise Limits and Collateral Management
Web applications / Remote management & hosting panels

Vendor Oracle

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Information disclosure

EUVDB-ID: #VU1052

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-5543

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote unauthenticated user to access data on the target system.
The weakness is caused by a flaw in the Oracle FLEXCUBE Enterprise Limits and Collateral Management INFRA component and lets attacker partially obtain and partially modify arbitrary files.
Successful exploitation of the vulnerability results in disclosure and partial modification of information on the vulnerable system.

Vulnerable software versions

Oracle Financial Services Software: 12.0.0 - 12.1.0

Oracle FLEXCUBE Enterprise Limits and Collateral Management: 12.0.0 - 12.1.0

CPE2.3 External links

https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixIFLX
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###