Oracle recently released their Critical Patch Update addressing 433 vulnerabilities across their products, including a vulnerability in the Oracle Hospitality OPERA 5 Property Services product. According to Oracle’s vulnerability description, CVE-2023-21932 is a difficult– to– exploit vulnerability, requiring network access via HTTP and high privileges.
However, on April 30, 2023, security researchers from Assetnote published a blog disagreeing with Oracle’s description and assigned severity rating, stating the vulnerability could result in pre-authentication RCE. The proof-of-concept blog demonstrated how the security researchers were able to achieve pre-authenticated RCE.
The vulnerability is caused by an order of operations bug where the product sanitizes an encrypted payload and then decrypts it. Due to this, a threat actor could add any payload without it being sanitized. By gathering information publicly available, such as the JNDI connection name, recreating Oracle’s encryption routine and repurposing it, a threat actor could achieve pre-authentication RCE. The security researchers include the Java file used to encrypt arbitrary strings in their write up, making the recreation and repurposing of Oracle’s encryption routine trivial. The security researchers were able to successfully exploit this vulnerability prior to authentication and upload a CGI web shell to the local file system.
Based on the proof– of– concept blog and the included Java file used to encrypt arbitrary strings, we assess threat actors will develop a working proof– of– concept exploit and begin exploiting this vulnerability in the near term against public-facing applications.
|Oracle Hospitality OPERA 5 Property Services
Recommendation for CVE-2023-21932
Apply the Latest Security Patch for OPERA 5 Property Services
Arctic Wolf strongly recommends applying the latest security patch to prevent potential exploitation of this vulnerability. The security patch is behind “My Oracle Support” login here: https://support.oracle.com/rs?type=doc&id=2935379.1
Please follow your organizations patching and testing guidelines to avoid operational impact.