SB2022042273 - Multiple vulnerabilities in Oracle Banking Payments

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2022-21475)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Infrastructure component in Oracle Banking Payments. A remote authenticated user can exploit this vulnerability to read and manipulate data.

2) Buffer overflow (CVE-ID: CVE-2021-30129)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the sshd-core of Apache Mina SSHD. A remote attacker can send specially crafted requests to the server, trigger buffer overflow and perform a denial of service (DoS) attack.

3) Code Injection (CVE-ID: CVE-2021-44832)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code.

4) Resource exhaustion (CVE-ID: CVE-2021-36090)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when processing ZIP archives. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpuapr2022.html?504386