Multiple vulnerabilities in Oracle FLEXCUBE Private Banking
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2020-9489 CVE-2020-5408 CVE-2019-10086 CVE-2020-5421 CVE-2019-17638 CVE-2019-3773 CVE-2020-5413 CVE-2020-11998 |
| CWE-ID | CWE-401 CWE-330 CWE-693 CWE-20 CWE-672 CWE-611 CWE-502 CWE-287 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
Oracle FLEXCUBE Private Banking Other software / Other software solutions |
| Vendor | Oracle |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Memory leak
EUVDB-ID: #VU34420
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-9489
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A carefully crafted or corrupt file may trigger a System.exit in Tika's OneNote Parser. Crafted or corrupted files can also cause out of memory errors and/or infinite loops in Tika's ICNSParser, MP3Parser, MP4Parser, SAS7BDATParser, OneNoteParser and ImageParser. Apache Tika users should upgrade to 1.24.1 or later. The vulnerabilities in the MP4Parser were partially fixed by upgrading the com.googlecode:isoparser:1.1.22 dependency to org.tallison:isoparser:1.9.41.2. For unrelated security reasons, we upgraded org.apache.cxf to 3.3.6 as part of the 1.24.1 release.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of insufficiently random values
EUVDB-ID: #VU28463
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-5408
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected software uses a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A remote authenticated attacker can derive the unencrypted values using a dictionary attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Protection mechanism failure
EUVDB-ID: #VU20844
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-10086
CWE-ID:
CWE-693 - Protection Mechanism Failure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper input validation
EUVDB-ID: #VU49739
Risk: Medium
CVSSv4.0: 5.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:P/U:Green]
CVE-ID: CVE-2020-5421
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Operation on a Resource after Expiration or Release
EUVDB-ID: #VU34161
Risk: High
CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-17638
CWE-ID:
CWE-672 - Operation on a Resource after Expiration or Release
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) XML External Entity injection
EUVDB-ID: #VU17185
Risk: Low
CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-3773
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to conduct XXE-attack.
The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can supply a specially crafted input and obtain potentially sensitive information or cause the service to crash
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Deserialization of Untrusted Data
EUVDB-ID: #VU31796
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-5413
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can abuse built-in feature to serialize gadgets to execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper Authentication
EUVDB-ID: #VU46680
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-11998
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote client to bypass authentication process.
The vulnerability exists due to an error in authentication process, caused by incorrect implementation of protection measures against JMX re-bind attack. A remote attacker can bypass authentication process by passing an empty environment map to RMIConnectorServer, instead of the map that contains the authentication credentials.As a result, a remote client can create javax.management.loading.MLet MBean and use it to create new MBeans from arbitrary URLs.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.
Install update from vendor's website.
Vulnerable software versionsOracle FLEXCUBE Private Banking: 12.0.0 - 12.1.0
CPE2.3- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:oracle_flexcube_private_banking:12.1.0:*:*:*:*:*:*:*
https://www.oracle.com/security-alerts/cpuapr2021.html?3367
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
