SB20230418111 - Multiple vulnerabilities in Oracle Banking Corporate Lending Process Management

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2022-22971)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the Spring application with a STOMP over WebSocket endpoint. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

2) Input validation error (CVE-ID: CVE-2022-22979)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the caching issue in Function Catalog component of the framework. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack via spring-cloud-function-web module.

3) Resource management error (CVE-ID: CVE-2022-2048)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application when handling invalid HTTP/2 requests. A remote attacker can send specially crafted requests to the server and perform a denial of service (DoS) attack.

4) Improper Authorization (CVE-ID: CVE-2022-22978)

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to input validation error when processing untrusted input in applications that are using RegexRequestMatcher with `.` in the regular expression. A remote non-authenticated attacker can bypass authorization checks.

Remediation

Install update from vendor's website.

References

• https://www.oracle.com/security-alerts/cpuapr2023.html?924443