Cybersecurity specialists report the detection of four critical vulnerabilities in Hyperion Infrastructure Technology, a centralized solution for financial and operational planning in enterprise environments developed by the technology firm Oracle. According to the report, successful exploitation of these flaws would allow threat actors to access sensitive information and deploy multiple attack variants.
Below are brief descriptions of the reported vulnerabilities. It also presents the identification keys of these flaws and their scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2019-2729: Insecure validation of input when processing serialized data within the XMLDecoder class would allow unauthenticated remote threat actors to pass specially crafted data to the affected application and execute arbitrary code.
This is a critical flaw and received a CVSS score of 9.4/10. It is important to mention that this vulnerability has already been exploited in real-world scenarios to completely compromise the affected systems.
CVE-2021-2347: Improper validation of entries within the lifecycle management component in Hyperion would allow privileged remote users to manipulate the information entered into the system.
This is a flaw of medium severity and received a CVSS score of 4.5/10.
CVE-2021-2445: Incorrect input validation within the lifecycle management component in Hyperion would allow remote users with high privileges to manipulate relevant information on the system.
The vulnerability received a CVSS score of 5/10.
CVE-2017-14735: Insufficient disinfection of user input allows remote attackers to trick the victim into opening a specially crafted link that will execute HTML code in the context of a vulnerable website.
The flaw received a score of 5.3/10 and its successful exploitation would allow threat actors to deploy cross-site scripting (XSS) attacks.
All of these flaws reside in the following versions of Hyperion Infrastructure Technology: v22.214.171.124 and v126.96.36.199.
As mentioned above, these vulnerabilities could be or have been exploited by remote threat actors over the Internet, so it is imperative that administrators of affected deployments upgrade to a secure version as soon as possible.
Security patches to address these vulnerabilities have already been issued by Oracle and are available through its official platforms. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.