An attacker can obtain the JNDI connection name through servlets that leak this information. Due to the weak hardcoded cryptography used by Oracle Opera, it is possible for an attacker to craft encrypted payloads. After the JNDI connection name and encryption elements have been obtained by an attacker, it is possible to exploit an order of operations bug inside the <span class="code_single-line">FileReceiver</span> servlet. This allows attackers to upload arbitrary files to the system, leading to remote command execution. All of the steps required to achieve this can be completed without authentication.
An attacker can upload a web shell to the Oracle Opera system and execute arbitrary commands. After gaining RCE, it may be possible to laterally escalate privileges on the network.
The following versions are affected by this vulnerability:
- Oracle Hospitality OPERA 5 Property Services 5.6 and below
Oracle Hospitality OPERA 5 Sales and Catering is a full-featured customer- and event-management application that seamlessly integrates with OPERA 5 Property Management to simply and efficiently manage hotel events and operations.
Upgrade to the latest version of Opera. > 5.6.
Oracle’s official advisory can be found here.
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
This research was done by Shubham Shah, Sean Yeoh, Brendan Scarvell and Jason Haddix.