4 serious vulnerabilities in Hyperion Infrastructure Technology

Cybersecurity specialists report the detection of four critical vulnerabilities in Hyperion Infrastructure Technology, a centralized solution for financial and operational planning in enterprise environments developed by the technology firm Oracle. According to the report, successful exploitation of these flaws would allow threat actors to access sensitive information and deploy multiple attack variants.

Below are brief descriptions of the reported vulnerabilities. It also presents the identification keys of these flaws and their scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2019-2729: Insecure validation of input when processing serialized data within the XMLDecoder class would allow unauthenticated remote threat actors to pass specially crafted data to the affected application and execute arbitrary code.

This is a critical flaw and received a CVSS score of 9.4/10. It is important to mention that this vulnerability has already been exploited in real-world scenarios to completely compromise the affected systems.

CVE-2021-2347: Improper validation of entries within the lifecycle management component in Hyperion would allow privileged remote users to manipulate the information entered into the system.

This is a flaw of medium severity and received a CVSS score of 4.5/10.

CVE-2021-2445: Incorrect input validation within the lifecycle management component in Hyperion would allow remote users with high privileges to manipulate relevant information on the system.

The vulnerability received a CVSS score of 5/10.

CVE-2017-14735: Insufficient disinfection of user input allows remote attackers to trick the victim into opening a specially crafted link that will execute HTML code in the context of a vulnerable website.

The flaw received a score of 5.3/10 and its successful exploitation would allow threat actors to deploy cross-site scripting (XSS) attacks.

All of these flaws reside in the following versions of Hyperion Infrastructure Technology: v11.1.2.4 and v11.2.5.0.

As mentioned above, these vulnerabilities could be or have been exploited by remote threat actors over the Internet, so it is imperative that administrators of affected deployments upgrade to a secure version as soon as possible.

Security patches to address these vulnerabilities have already been issued by Oracle and are available through its official platforms. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.