Source: Ministry of education information & communication security contingency platform
"" "" ""
| Publication Number | TACERT-ANA-2026060102061919 | Publication Time | 2026-06-01 14:16:19 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2026-06-01 14:16:19 |
| Impact Level | Low | ||
| [Subject] 【Vulnerability Alert】Oracle Released Critical Security Advisories for Several of Its Products |
|||
| [Content]
Forwarded from TWCERTCC Security Advisory TWCERTCC-200-202605-00000016 【CVE-2026-46833, CVSS: 9.0】 This vulnerability exists in the Net Service component of Oracle Database Server, allowing unauthenticated attackers to access the Net Service component through TLS, which may have a significant impact on other products. 【CVE-2026-46840, CVSS: 10.0】 This vulnerability exists in the Backend-as-a-Service component of Oracle REST Data Services, allowing unauthenticated attackers to access Oracle REST Data Services through the HTTPS network. 【CVE-2026-46775, CVSS: 9.9, CVE-2026-46839, CVSS: 9.9】 This vulnerability exists in the Core component of Oracle REST Data Services. Low-privileged attackers may access Oracle REST Data Services through the HTTPS network. If successfully exploited, it may result in Oracle REST Data Services being completely controlled. 【CVE-2026-2332, CVSS: 9.1】 This vulnerability exists in the Core (Eclipse Jetty) component of Oracle REST Data Services, allowing unauthenticated attackers to access Oracle REST Data Services through the HTTPS network. If successfully exploited, it may result in unauthorized addition, deletion, or modification of critical data. 【CVE-2026-33557, CVSS: 9.1】 This vulnerability exists in the Message Bus (Apache Kafka) component of Oracle Communications Unified Assurance, allowing unauthenticated attackers to access Oracle Communications Unified Assurance through the TCP network. If successfully exploited, it may result in unauthorized addition, deletion, or modification of critical data. 【CVE-2025-15467, CVSS: 8.8】 This vulnerability exists in the Core (MySQL Server) component of Oracle Communications Unified Assurance, allowing unauthenticated attackers to access Oracle Communications Unified Assurance through the HTTP network. Successful exploitation of this vulnerability requires interaction from a user other than the attacker. 【CVE-2026-41044, CVSS: 8.8】 This vulnerability exists in the Message Bus (Apache Kafka) component of Oracle Communications Unified Assurance. Low-privileged attackers may access Oracle Communications Unified Assurance through the HTTPS network. If successfully exploited, it may result in Oracle Communications Unified Assurance being completely controlled. 【CVE-2026-46822, CVSS: 9.9】 This vulnerability exists in the Internal Operations component of Oracle iAssets. Low-privileged attackers may access Oracle iAssets through the HTTPS network and cause it to be attacked. If successfully exploited, it may result in Oracle iAssets being completely controlled. 【CVE-2026-46824, CVSS: 9.9】 This vulnerability exists in the Work Provider Site Level Administration component of Oracle Universal Work Queue. Low-privileged attackers may access Oracle Universal Work Queue through the HTTPS network. If successfully exploited, it may result in Oracle Universal Work Queue being completely controlled. 【CVE-2026-46817, CVSS: 9.8】 This vulnerability exists in the File Transmission component of Oracle Payments, allowing unauthenticated attackers to access Oracle Payments through the HTTP network. If successfully exploited, it may result in Oracle Payments being completely controlled. 【CVE-2026-46819, CVSS: 9.1】 This vulnerability exists in the Internal Operations component of Oracle Internet Procurement Connector, allowing unauthenticated attackers to access Oracle Internet Procurement Connector through the HTTP network. If successfully exploited, it may result in unauthorized addition, deletion, or modification of critical data. 【CVE-2026-46837, CVSS: 8.8】 This vulnerability exists in the Security component of Oracle Flow Manufacturing. Low-privileged attackers may access the network through SQL. If successfully exploited, it may result in Oracle Flow Manufacturing being completely controlled. 【CVE-2026-46826, CVSS: 8.8】 This vulnerability exists in the Internal Operations component of Oracle Payroll. Low-privileged attackers may access it through the HTTPS network. If successfully exploited, it may result in Oracle Payroll being completely controlled. 【CVE-2026-46827, CVSS: 8.8】 This vulnerability exists in the Self Service Manager component of Oracle Payroll. Low-privileged attackers may access it through the HTTP network. If successfully exploited, it may result in Oracle Payroll being completely controlled. 【CVE-2026-34311, CVSS: 9.8】 This vulnerability exists in the Opera component of Oracle Hospitality OPERA 5 Property Services, allowing unauthenticated attackers to access Oracle Hospitality OPERA 5 Property Services through the HTTP network. If successfully exploited, it may result in OPERA 5 Property Services being completely controlled. Information Sharing Level: WHITE |
|||
| [Affected Platform]
Oracle Communications Unified Assurance versions 6.11 to 7.00 Oracle Database Server versions 23.4.0 to 23.26.2 Oracle Flow Manufacturing versions 12.2.3 to 12.2.15 Oracle Hospitality OPERA 5 Property Services 5.6.19.24 Oracle Hospitality OPERA 5 Property Services 5.6.22 Oracle Hospitality OPERA 5 Property Services 5.6.25.19 Oracle Hospitality OPERA 5 Property Services 5.6.27.6 Oracle Hospitality OPERA 5 Property Services 5.6.28 Oracle iAssets versions 12.2.3 to 12.2.15 Oracle Internet Procurement Connector versions 12.2.3 to 12.2.15 Oracle Payments versions 12.2.3 to 12.2.15 Oracle Payroll versions 12.2.3 to 12.2.15 Oracle REST Data Services versions 24.2.0 to 26.1.0 Oracle Universal Work Queue versions 12.2.3 to 12.2.15 |
|||
| [Recommended Actions]
Apply patches according to the solution released on the official website: |
|||
|
[Reference] |
|||