CVE-2023-21932: Critical Unauthenticated RCE Vulnerability in Oracle Hospitality OPERA 5 Property Services

Share :

Oracle recently released their Critical Patch Update addressing 433 vulnerabilities across their products, including a vulnerability in the Oracle Hospitality OPERA 5 Property Services product. According to Oracle’s vulnerability description, CVE-2023-21932 is a difficult to exploit vulnerability, requiring network access via HTTP and high privileges.

However, on 30 April 2023, security researchers from Assetnote published a blog disagreeing with Oracle’s description and assigned severity rating, stating the vulnerability could result in pre-authentication RCE. The proof-of-concept blog demonstrated how the security researchers were able to achieve pre-authenticated RCE.  

The vulnerability is caused by an order of operations bug where the product sanitises an encrypted payload and then decrypts it. Due to this, a threat actor could add any payload without it being sanitised. By gathering information publicly available, such as the JNDI connection name, recreating Oracle’s encryption routine and repurposing it, a threat actor could achieve pre-authentication RCE. The security researchers include the Java file used to encrypt arbitrary strings in their write up, making the recreation and repurposing of Oracle’s encryption routine trivial. The security researchers were able to successfully exploit this vulnerability prior to authentication and upload a CGI web shell to the local file system.  

Based on the proof of concept blog and the included Java file used to encrypt arbitrary strings, we assess threat actors will develop a working proof of concept exploit and begin exploiting this vulnerability in the near term against public-facing applications.  

Product  Vulnerable Version             
Oracle Hospitality OPERA 5 Property Services  Version 5.6 

Recommendation for CVE-2023-21932

Apply the Latest Security Patch for OPERA 5 Property Services 

Arctic Wolf strongly recommends applying the latest security patch to prevent potential exploitation of this vulnerability. The security patch is behind “My Oracle Support” login here: 

Please follow your organisations patching and testing guidelines to avoid operational impact. 


Picture of Steven Campbell

Steven Campbell

Steven Campbell is a Senior Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft.
Share :
Table of Contents