[TLP:CLEAR]
bollettino di sicurezza 105/2026
Aggiornamenti Oracle
05-06-2026
oracle, e-business-suite, rest-data-services, openssl, apache, heap-overflow
descrizione
Il bollettino include 35 patch distribuite su Oracle Database Server, REST Data Services, E-Business Suite, Hospitality e componenti di terze parti integrate nell'ecosistema Oracle.Le vulnerabilità di severità più elevata riguardano componenti Oracle nativi con CVSS 10: Oracle REST Data Services (Core e Backend-as-a-Service), Oracle E-Business Suite (Payments/File Transmission, iAssets/Internal Operations, Universal Work Queue), e Oracle Hospitality OPERA 5 Property Services. Queste si caratterizzano per CWE-284 (Improper Access Control) o assenza di CWE dichiarato.
Tra i componenti di terze parti: OpenSSL è affetto da stack buffer overflow (CWE-787) nel parsing di CMS AuthEnvelopedData; Apache Kafka da mancata validazione JWT in OAUTHBEARER (CWE-1285); Apache ActiveMQ da code injection via Jolokia MBean; Apache HTTP Server da heap over-read in mod_proxy_ajp (CWE-126); Apache Tomcat da information disclosure nel log del bearer token Kubernetes (CWE-532); Eclipse Jetty da HTTP request smuggling (CWE-444); Apache ZooKeeper da information disclosure in log (CWE-532); PCRE2 da heap-buffer-overflow in match_ref; LIBPNG da heap buffer overflow in png_set_quantize.
Oracle Database Server espone vulnerabilità nel componente Net Service (CWE-400, DoS) e una a scope Changed con AC:H.
note
PRIORITÀ CRITICHE (priority_score > 9):CVE-2025-15467 (OpenSSL, priority_score massimo del set): stack buffer overflow in CMS AuthEnvelopedData, AV:N/AC:L/PR:N/UI:N, EPSS 86° percentile — il più alto dell'intero bollettino. Impatta OpenSSL 3.0.x < 3.0.19, 3.3.x < 3.3.6, 3.4.x < 3.4.4, 3.5.x < 3.5.5, 3.6.x < 3.6.1.
CVE-2026-34311 (Oracle Hospitality OPERA 5): CVSS 10, AV:N/AC:L/PR:N/UI:N/S:U, CIA:H. Versioni affette: 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, 5.6.28.
CVE-2026-46775 e CVE-2026-46839 (Oracle REST Data Services/Core, CWE-284): CVSS 10, AV:N/AC:L/PR:L/UI:N/S:C — scope Changed, impatto oltre il processo corrente. CPE non disponibili.
CVE-2026-46840 (Oracle REST Data Services/Backend-as-a-Service): CVSS 10, AV:N/AC:L/PR:N/UI:N/S:C — sfruttabile senza autenticazione, scope Changed.
CVE-2026-46817 (Oracle E-Business Suite/Payments): CVSS 10, AV:N/AC:L/PR:N/UI:N/S:U, CIA:H. CPE non disponibili.
CVE-2026-46822 (Oracle iAssets) e CVE-2026-46824 (Oracle Universal Work Queue): CVSS 10, AV:N/AC:L/PR:L/UI:N/S:C, versioni 12.2.3–12.2.15, CWE-284.
CVE-2026-33557 (Apache Kafka): mancata validazione JWT in OAUTHBEARER, AV:N/AC:L/PR:N/UI:N, CA:H. Versioni 4.1.0 < 4.1.2.
CVE-2026-41044 (Apache ActiveMQ): code injection via DestinationView MBean esposto da Jolokia, richiede PR:L (utente autenticato). Impatta ActiveMQ < 5.19.6 e 6.0.0–6.2.5, ActiveMQ Broker stesse versioni.
CVE-2026-46833 (Oracle Database Server/Net Service): CVSS 9, AV:N/AC:H/PR:N/UI:N/S:C — alta complessità ma scope Changed, CIA:H.
CVE-2026-46826, CVE-2026-46827, CVE-2026-46837 (Oracle E-Business Suite/Payroll, Flow Manufacturing): CVSS 9, AV:N/AC:L/PR:L, CIA:H. CVE-2026-46826 presenta CWE-306 (Missing Authentication for Critical Function).
SEVERITÀ HIGH:
CVE-2026-34059 (Apache HTTP Server mod_proxy_ajp): heap over-read, AV:N/AC:L/PR:N/UI:N, confidenzialità H. Versioni < 2.4.67.
CVE-2026-34487 (Apache Tomcat): Kubernetes bearer token inserito in log, AV:N/AC:L/PR:N. Versioni Tomcat 9.0.13–9.0.117, 10.1.0–10.1.54, 11.0.0–11.0.21.
CVE-2026-2332 (Eclipse Jetty): HTTP request smuggling via chunk extension, AV:N/AC:H/PR:N. Versioni 9.4.0–9.4.60, 10.0.0–10.0.28, 11.0.0–11.0.28, 12.0.0–12.0.33, 12.1.0–12.1.7.
CVE-2026-24308 (Apache ZooKeeper): informazioni sensibili esposte in log client, AV:N/AC:L/PR:L. Versioni 3.8.0–3.8.6, 3.9.0–3.9.5.
DoS su Oracle Database Server e Oracle REST Data Services (CVE-2026-46829, CVE-2026-46834, CVE-2026-46835): CWE-400, AV:N/AC:L/PR:N, A:H — sfruttabili senza autenticazione.
CVE-2026-35266 (Oracle REST Data Services/Core): CSRF (CWE-352), AC:H/PR:L/UI:R/S:C, priority medium.
CVE-2025-58050 (PCRE2 10.45): heap-buffer-overflow in match_ref, AV:N/AC:L/PR:N, CVSS 4.0 score 7, priority high.
CVE-2026-25646 (LIBPNG < 1.6.55): heap buffer overflow in png_set_quantize, AV:N/AC:H/AT:P, CVSS 4.0 score 8, priority critical.
Non risultano a oggi CVE nel catalogo CISA KEV, exploit in the wild o proof-of-concept pubblici.
CVE
| CVE | CVSS | EPSS | priority |
|---|---|---|---|
| CVE-2025-15467 | 3.1: 9.8 | 2.889% | 86.56% | critical |
| CVE-2026-34311 | 3.1: 10.0 | 0.122% | 30.81% | critical |
| CVE-2026-33557 | 3.1: 9.0 | 0.223% | 45.04% | critical |
| CVE-2026-46822 | 3.1: 10.0 | 0.082% | 24.00% | critical |
| CVE-2026-46824 | 3.1: 10.0 | 0.082% | 24.00% | critical |
| CVE-2026-41044 | 3.1: 9.0 | 0.073% | 22.25% | critical |
| CVE-2026-34059 | 3.1: 8.0 | 0.106% | 28.24% | critical |
| CVE-2025-58050 | 4.0: 7.0 | 0.056% | 17.67% | critical |
| CVE-2026-46817 | 3.1: 10.0 | 0.041% | 12.88% | critical |
| CVE-2026-46840 | 3.1: 10.0 | 0.041% | 12.88% | critical |
| CVE-2026-34487 | 3.1: 8.0 | 0.091% | 25.72% | critical |
| CVE-2026-25646 | 4.0: 8.0 | 0.081% | 23.82% | critical |
| CVE-2026-46775 | 3.1: 10.0 | 0.039% | 11.99% | critical |
| CVE-2026-46839 | 3.1: 10.0 | 0.039% | 11.99% | critical |
| CVE-2026-46820 | 3.1: 9.0 | 0.045% | 14.31% | critical |
| CVE-2026-46833 | 3.1: 9.0 | 0.043% | 13.34% | critical |
| CVE-2026-46826 | 3.1: 9.0 | 0.039% | 11.99% | critical |
| CVE-2026-46827 | 3.1: 9.0 | 0.039% | 11.99% | critical |
| CVE-2026-46837 | 3.1: 9.0 | 0.039% | 11.99% | critical |
| CVE-2026-46819 | 3.1: 9.0 | 0.030% | 9.13% | critical |
| CVE-2026-46829 | 3.1: 8.0 | 0.040% | 12.35% | critical |
| CVE-2026-46834 | 3.1: 8.0 | 0.040% | 12.35% | critical |
| CVE-2026-46835 | 3.1: 8.0 | 0.040% | 12.35% | critical |
| CVE-2026-46821 | 3.1: 8.0 | 0.034% | 10.30% | high |
| CVE-2026-46823 | 3.1: 8.0 | 0.034% | 10.30% | high |
| CVE-2026-35277 | 3.1: 8.0 | 0.028% | 8.57% | high |
| CVE-2026-46828 | 3.1: 8.0 | 0.028% | 8.57% | high |
| CVE-2026-46818 | 3.1: 7.0 | 0.030% | 9.13% | high |
| CVE-2026-2332 | 3.1: 7.0 | 0.026% | 7.81% | high |
| CVE-2026-24308 | 3.1: 7.0 | 0.022% | 6.58% | high |
| CVE-2026-35266 | 3.1: 8.0 | 0.017% | 4.46% | medium |
| CVE-2026-46843 | 3.1: 5.0 | 0.039% | 11.96% | medium |
| CVE-2026-46842 | 3.1: 5.0 | 0.028% | 8.48% | medium |
| CVE-2026-46830 | 3.1: 5.0 | 0.028% | 8.34% | medium |
| CVE-2026-46841 | 3.1: 5.0 | 0.028% | 8.34% | medium |
NOTA: Le vulnerabilità sono ordinate per priorità operativa, calcolata combinando la gravità teorica (CVSS) con la probabilità reale di sfruttamento (EPSS).
tipi di attacco
| CWE | descrizione |
|---|---|
| CWE-787 | Out-of-bounds Write |
| CWE-400 | Uncontrolled Resource Consumption |
| CWE-284 | Improper Access Control |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input |
| CWE-532 | Insertion of Sensitive Information into Log File |
| CWE-126 | Buffer Over-read |
| CWE-269 | Improper Privilege Management |
| CWE-306 | Missing Authentication for Critical Function |
| CWE-863 | Incorrect Authorization |
prodotti impattati
| vendor | prodotto & versioni |
|---|---|
| oracle |
financials common modules
|
riferimenti
| www.oracle.com/security-alerts/cspumay2026.html |