[Security Vulnerability Alert] Oracle Issues Major Cybersecurity Announcement for Multiple Products

 
2026/6/1 ~ 2026/12/1
View Count:20

Forwarded from Taiwan Computer Network Crisis Management and Coordination Center: Cybersecurity Alert TWCERTCC-200-202605-00000016

[Content Description]
【CVE-2026-46833, CVSS: 9.0】 This vulnerability exists in the Net Service component of Oracle Database Server, allowing unauthenticated attackers to access the Net Service component via TLS, potentially causing significant impact on other products.
【CVE-2026-46840, CVSS: 10.0】 This vulnerability exists in the Backend-as-a-Service component of Oracle REST Data Services, allowing unauthenticated attackers to access Oracle REST Data Services via HTTPS.
【CVE-2026-46775, CVSS: 9.9; CVE-2026-46839, CVSS: 9.9】This vulnerability exists in the Oracle REST Data Services Core component. A low-privilege attacker could access Oracle REST Data Services over an HTTPS network. Successful exploitation could lead to complete control of Oracle REST Data Services.
【CVE-2026-2332, CVSS: 9.1】This vulnerability exists in the Oracle REST Data Services Core (Eclipse Jetty) component. It allows unauthenticated attackers to access Oracle REST Data Services over an HTTPS network. Successful exploitation could lead to unauthorized addition, deletion, or modification of critical data.
【CVE-2026-33557, CVSS: 9.1】This vulnerability exists in the Oracle Communications Unified Assurance Message Bus (Apache Kafka) component. It allows unauthenticated attackers to access Oracle Communications Unified Assurance over a TCP network. Successful exploitation could lead to unauthorized addition, deletion, or modification of critical data.
【CVE-2025-15467, CVSS: 8.8】This vulnerability exists in the Oracle Communications Unified Assurance Core (MySQL Server) component, allowing unauthenticated attackers to access Oracle Communications Unified Assurance over an HTTP network. Successful exploitation requires interaction from a user other than the attacker.
【CVE-2026-41044, CVSS: 8.8】This vulnerability exists in the Oracle Communications Unified Assurance Message Bus (Apache Kafka) component. Low-privilege attackers can access Oracle Communications Unified Assurance over an HTTPS network. Successful exploitation could lead to complete control of Oracle Communications Unified Assurance.
【CVE-2026-46822, CVSS: 9.9】This vulnerability exists in the Oracle iAssets Internal Operations component. Low-privilege attackers can access and compromise Oracle iAssets over an HTTPS network. Successful exploitation could lead to complete control of Oracle iAssets.
【CVE-2026-46824, CVSS: 9.9】This vulnerability exists in the Work Provider Site Level Administration component of Oracle Universal Work Queue. A low-privilege attacker could access Oracle Universal Work Queue via HTTPS, potentially gaining complete control over the system.
【CVE-2026-46817, CVSS: 9.8】This vulnerability exists in the File Transmission component of Oracle Payments, allowing unauthenticated attackers to access Oracle Payments via HTTP. Successful exploitation could lead to complete control over Oracle Payments.
【CVE-2026-46819, CVSS: 9.1】This vulnerability exists in the Internal Operations component of Oracle Internet Procurement Connector, allowing unauthenticated attackers to access Oracle Internet Procurement Connector via HTTP. Successful exploitation could lead to unauthorized addition, deletion, or modification of critical data.
【CVE-2026-46837, CVSS: 8.8】This vulnerability exists in the Security component of Oracle Flow Manufacturing. A low-privilege attacker can access the network via SQL. Successful exploitation could lead to complete control of Oracle Flow Manufacturing.
【CVE-2026-46826, CVSS: 8.8】This vulnerability exists in the Internal Operations component of Oracle Payroll. A low-privilege attacker can access the network via HTTPS. Successful exploitation could lead to complete control of Oracle Payroll.
【CVE-2026-46827, CVSS: 8.8】This vulnerability exists in the Self Service Manager component of Oracle Payroll. A low-privilege attacker can access the network via HTTP. Successful exploitation could lead to complete control of Oracle Payroll.
【CVE-2026-34311, CVSS: 9.8】This vulnerability exists in the Opera component of Oracle Hospitality OPERA 5 Property Services, allowing unauthenticated attackers to access Oracle Hospitality OPERA 5 Property Services via HTTP. Successful exploitation could lead to complete control of Opera 5 Property Services.

[Affected Platforms]
Oracle Communications Unified Assurance versions 6.11 to 7.00
Oracle Database Server versions 23.4.0 to 23.26.2
Oracle Flow Manufacturing versions 12.2.3 to 12.2.15
Oracle Hospitality OPERA 5 Property Services version 5.6.19.24
Oracle Hospitality OPERA 5 Property Services version 5.6.22
Oracle Hospitality OPERA 5 Property Services version 5.6.25.19
Oracle Hospitality OPERA 5 Property Services version 5.6.27.6
Oracle Hospitality OPERA 5 Property Services version 5.6.28
Oracle iAssets versions 12.2.3 to 12.2.15
Oracle Internet Procurement Connector versions 12.2.3 to 12.2.15
Oracle Payments versions 12.2.3 to 12.2.15
Oracle Payroll Versions 12.2.3 to 12.2.15
Oracle REST Data Services versions 24.2.0 to 26.1.0
Oracle Universal Work Queue versions 12.2.3 to 12.2.15

[Recommended Action]
Patch according to the solutions released on the official website: https://www.oracle.com/security-alerts/cspumay2026.html

[References]
1. https://www.twcert.org.tw/tw/cp-169-10945-d47ee-1.html

Files
system_update_alt官方網站
system_update_alt參考資料
【Back】
Top↑