Advisory: Oracle Opera Pre-Auth RCE (CVE-2023-21932)

Summary

An attacker can obtain the JNDI connection name through servlets that leak this information. Due to the weak hardcoded cryptography used by Oracle Opera, it is possible for an attacker to craft encrypted payloads. After the JNDI connection name and encryption elements have been obtained by an attacker, it is possible to exploit an order of operations bug inside the <span class="code_single-line">FileReceiver</span> servlet. This allows attackers to upload arbitrary files to the system, leading to remote command execution. All of the steps required to achieve this can be completed without authentication.

Impact

An attacker can upload a web shell to the Oracle Opera system and execute arbitrary commands. After gaining RCE, it may be possible to laterally escalate privileges on the network.

Affected Software

The following versions are affected by this vulnerability:

• Oracle Hospitality OPERA 5 Property Services 5.6 and below

Product Description

Oracle Hospitality OPERA 5 Sales and Catering is a full-featured customer- and event-management application that seamlessly integrates with OPERA 5 Property Management to simply and efficiently manage hotel events and operations.

Solution

Upgrade to the latest version of Opera. > 5.6.

Oracle’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.

Credits

This research was done by Shubham Shah, Sean Yeoh, Brendan Scarvell and Jason Haddix.