Flash Notice: Oracle Opera Vulnerability Impacts Hotel Chains

overview

A vulnerability (CVE-2023-21932) was found in Oracle Opera (also known as Micros Opera) – a property management system that is widely used in large resort and hotel chains. The vulnerability can be exploited by unauthenticated remote attackers to access sensitive data.  

CVE-2023-21932 has a CVSS score of 7.2 and impacts version 5.6 of the Oracle Hospitality OPERA 5 Property Services product. Oracle stated that exploiting the vulnerability requires significant effort and privileged access to the network through HTTP. However, the researchers at Asettnote have contradicted this claim by demonstrating that attackers can effortlessly execute pre-auth commands by obtaining a JNDI connection name from specific URLs. An attacker can accomplish this by breaking the solutions encryption scheme and using it to encrypt arbitrary strings. 

“As seen above, RCE is possible without any special access or knowledge. All steps performed in the exploitation of this vulnerability were without any authentication. This vulnerability should have a CVSS score of 10.0.” – Assetnote  

Although Oracle released a patch for the vulnerability in April 2023, security researchers didn't take notice of it until this month due to the specialized nature of the software. There have been no major critical vulnerabilities in Oracle Opera since 2016. The Oracle Hospitality Opera 5 Property Services product is used by Radisson Hotels, Accor Hotels, Wyndham Group, Marriot, and IHG.  

avertium's recommendations

• For more information on how CVE-2023-21932 can be exploited, please read Assetnote’s proof of concept blog.  
• It is recommended not to expose Oracle Opera to the internet.  
• If you have not already done so, please follow Oracle’s patch guidance for CVE-2023-21932.  
• CVSS (Common Vulnerability Scoring System) 
  • CVSS Base Score – 7.2  
  • Impact Subscore – 5.3 
  • Exploitability Subscore – 1.3  
  • CVSS Temporal Score – 6.5  
  • CVSS Environmental Score – 8.9 
  • Modified Impact Subscore – 5.3 
  • Overall CVSS Score – 8.9  

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-21932. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

How Avertium is Protecting Our CUSTOMERS

• Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. 
• Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
• Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  
• Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it is an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.  

SUPPORTING DOCUMENTATION