Research Notes
April 30, 2023

Advisory: Oracle Opera Pre-Auth RCE (CVE-2023-21932)

No items found.
Creative Commons license


An attacker can obtain the JNDI connection name through servlets that leak this information. Due to the weak hardcoded cryptography used by Oracle Opera, it is possible for an attacker to craft encrypted payloads. After the JNDI connection name and encryption elements have been obtained by an attacker, it is possible to exploit an order of operations bug inside the <span class="code_single-line">FileReceiver</span> servlet. This allows attackers to upload arbitrary files to the system, leading to remote command execution. All of the steps required to achieve this can be completed without authentication.


An attacker can upload a web shell to the Oracle Opera system and execute arbitrary commands. After gaining RCE, it may be possible to laterally escalate privileges on the network.

Affected Software

The following versions are affected by this vulnerability:

  • Oracle Hospitality OPERA 5 Property Services 5.6 and below

Product Description

Oracle Hospitality OPERA 5 Sales and Catering is a full-featured customer- and event-management application that seamlessly integrates with OPERA 5 Property Management to simply and efficiently manage hotel events and operations.


Upgrade to the latest version of Opera. > 5.6.

Oracle’s official advisory can be found here.

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


This research was done by Shubham Shah, Sean Yeoh, Brendan Scarvell and Jason Haddix.

Written by:
Shubham Shah
Your subscription could not be saved. Please try again.
Your subscription has been successful.

Get updates on our research

Subscribe to our newsletter and stay updated on the newest research, security advisories, and more!

Ready to get started?

Get on a call with our team and learn how Assetnote can change the way you secure your attack surface. We'll set you up with a trial instance so you can see the impact for yourself.