Multiple vulnerabilities in Oracle Banking APIs
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2023-33201 CVE-2023-20863 CVE-2023-2976 CVE-2023-20883 |
| CWE-ID | CWE-90 CWE-20 CWE-276 CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Oracle Banking APIs Server applications / Other server solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) LDAP injection
EUVDB-ID: #VU78328
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-33201
CWE-ID:
CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to improper input validation in applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability. A remote non-authenticated attacker can use a specially crafted X.509 certificate to bypass authentication process and gain unauthorized access to the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Banking APIs: 18.3 - 22.2
CPE2.3- cpe:2.3:a:oracle:oracle_banking_apis:18.3:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:19.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:19.2:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpuoct2023.html?948038
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU75409
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-20863
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use a specially crafted SpEL expression and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Banking APIs: 21.1 - 22.2
CPE2.3- cpe:2.3:a:oracle:oracle_banking_apis:21.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:22.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:22.2:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpuoct2023.html?948038
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Incorrect default permissions
EUVDB-ID: #VU77107
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-2976
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in com.google.common.io.FileBackedOutputStream. A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle Banking APIs: 18.3 - 22.2
CPE2.3- cpe:2.3:a:oracle:oracle_banking_apis:18.3:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:19.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:19.2:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpuoct2023.html?948038
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource management error
EUVDB-ID: #VU76427
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-20883
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Specifically, an application is vulnerable if all of the conditions are true:
- The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
- The application makes use of Spring Boot's welcome page support, either static or templated.
- Your application is deployed behind a proxy which caches 404 responses.
Install update from vendor's website.
Vulnerable software versionsOracle Banking APIs: 21.1 - 22.2
CPE2.3- cpe:2.3:a:oracle:oracle_banking_apis:21.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:22.1:*:*:*:*:*:*:
- cpe:2.3:a:oracle:oracle_banking_apis:22.2:*:*:*:*:*:*:
http://www.oracle.com/security-alerts/cpuoct2023.html?948038
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
