Security News > 2023 > May > Easily exploitable flaw in Oracle Opera could spell trouble for hotel chains (CVE-2023-21932)
A recently patched vulnerability in Oracle Opera, a property management system widely used in large hotel and resort chains, is more critical than Oracle says it is and could be easily exploited by unauthenticated remote attackers to access sensitive information, a group of researchers has warned.
Oracle Opera, also known as Micros Opera, is a solution many companies in the hospitality industry - more specifically, those offering lodging and related services - use to manage reservations, sales, housekeeping, catering, and deliver personalized guest experiences.
CVE-2023-21932 affects version 5.6 of the Oracle Hospitality OPERA 5 Property Services product and may allow attackers to access, update or insert critical data accessible via the solution.
According to Oracle, the vulnerability is difficult to exploit and the attacker needs high privileges and network access via HTTP. The researchers disagree, and have shown how attackers can easily achieve pre-auth command execution after obtaining a JNDI connection name from specific URLs and breaking the solutions' encryption scheme and repurposing it to encrypt arbitrary strings.
"RCE is possible without any special access or knowledge. All steps performed in the exploitation of this vulnerability were without any authentication. This vulnerability should have a CVSS score of 10.0," they concluded.
Organizations using the Oracle Opera solution should quickly implement the patches provided by Oracle in April.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-18 | CVE-2023-21932 | Unspecified vulnerability in Oracle Hospitality Opera 5 Property Services 5.6 Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: OXI). | 7.2 |