There’s a problem with Opera. No, not that kind of opera. The Oracle kind. Oracle OPERA is a Property Management Solution (PMS) that is in use in a bunch of big-name hotels around the world. The PMS is the system that handles reservations and check-ins, talks to the phone system to put room extensions in the proper state, and generally runs the back-end of the property. It’s old code, and handles a bunch of tasks. And researchers at Assetnote found a serious vulnerability. CVE-2023-21932 is an arbitrary file upload issue, and rates at least a 7.2 CVSS.
It’s a tricky one, where the code does all the right things, but gets the steps out of order. Two parameters, jndiname and username are encrypted for transport, and the sanitization step happens before decryption. The username parameter receives no further sanitization, and is vulnerable to path traversal injection. There are two restrictions to exploitation. The string encryption has to be valid, and the request has to include a valid Java Naming and Directory Interface (JNDI) name. It looks like these are the issues leading Oracle to consider this flaw “difficult to exploit vulnerability allows high privileged attacker…”.
The only problem is that the encryption key is global and static. It was pretty straightforward to reverse engineer the encryption routine. And JDNI strings can be fetched anonymously from a trio of endpoints. This lead Assetnote to conclude that Oracle’s understanding of the flaw is faulty, and a much higher CVSS score is appropriate. Particularly with this Proof of Concept code, it is relatively straightforward to upload a web shell to an Opera system.
The one caveat there is that an attacker has to get network access to that install. These aren’t systems intended to be exposed to the internet, and my experience is that they are always on a dedicated network connection, not connected to the rest of the office network. Even the interconnect between the PMS and phone system is done via a serial connection, making this network flaw particularly hard to get to. Continue reading “This Week In Security: Oracle Opera, Passkeys, And AirTag RFC”




Perhaps, that’s the single most popular use for an NPN transistor – driving coils, like relays or solenoids. We are quite used to driving relays with BJTs, typically an NPN – but it doesn’t have to be a BJT, FETs often will do the job just as fine! Here’s an N-FET, used in the exact same configuration as a typical BJT is, except instead of a base current limiting resistor, we have a gate-source resistor – you can’t quite solder the BJT out and solder the FET in after you have designed the board, but it’s a pretty seamless replacement otherwise. The freewheel (back EMF protection) diode is still needed for when you switch the relay and the coil produces wacky voltages in protest, but hey, can’t have every single aspect be superior.
He was born in Glasgow in 1821 and was the son of a successful shipbuilder, Robert Napier, into whose business he followed once he’d received his education. He’s probably most well known today for his work in nautical engineering and for inventing 
