Login Sign Up

CVE-2017-10396

9.9 CRITICAL

📋 TL;DR

This vulnerability in Oracle Hospitality Cruise AffairWhere allows authenticated attackers with local access to execute arbitrary code through user interaction. Affected versions are 2.2.5.0 through 2.2.7.0, potentially leading to complete system compromise.

💻 Affected Systems

Products:
  • Oracle Hospitality Cruise AffairWhere
Versions: 2.2.5.0, 2.2.6.0, 2.2.7.0
Operating Systems: Not specified in CVE
Default Config Vulnerable: ⚠️ Yes
Notes: Requires low privileged attacker with logon access to infrastructure where component executes. Human interaction from another person is required for successful exploitation.

📦 What is this software?

Hospitality Cruise Affairwhere by Oracle

View all CVEs affecting Hospitality Cruise Affairwhere →

Hospitality Cruise Affairwhere by Oracle

View all CVEs affecting Hospitality Cruise Affairwhere →

Hospitality Cruise Affairwhere by Oracle

View all CVEs affecting Hospitality Cruise Affairwhere →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete takeover of Oracle Hospitality Cruise AffairWhere system, potentially compromising confidentiality, integrity, and availability of the entire cruise hospitality infrastructure.

🟠

Likely Case

Privilege escalation leading to unauthorized access to sensitive passenger data, booking systems, and operational controls within the cruise environment.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are implemented to contain potential breaches.

🌐 Internet-Facing: LOW - Requires local access to infrastructure where component executes, not directly internet-accessible.
🏢 Internal Only: HIGH - Exploitable by low-privileged authenticated users within the internal network, with significant impact potential.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Easily exploitable according to Oracle, but requires authenticated access and human interaction from another user. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply Critical Patch Update October 2017 or later

Vendor Advisory: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Restart Required: Yes

Instructions:

1. Download Critical Patch Update from Oracle Support. 2. Apply patch to affected Oracle Hospitality Cruise AffairWhere installations. 3. Restart affected services. 4. Verify patch application through version check.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Oracle Hospitality Cruise AffairWhere systems from general user networks

Privilege Reduction

all

Implement least privilege access controls to limit who can access the infrastructure

🧯 If You Can't Patch

  • Implement strict access controls and monitoring for all users with access to Oracle Hospitality Cruise AffairWhere infrastructure
  • Segment network to isolate affected systems and implement application-level firewalls

🔍 How to Verify

Check if Vulnerable:

Check Oracle Hospitality Cruise AffairWhere version against affected versions (2.2.5.0, 2.2.6.0, 2.2.7.0)

Check Version:

Check Oracle Hospitality Cruise AffairWhere administration interface or configuration files for version information

Verify Fix Applied:

Verify version is updated beyond affected versions and confirm Critical Patch Update October 2017 is applied

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Privilege escalation attempts
  • Unexpected process execution

Network Indicators:

  • Unusual traffic patterns from AffairWhere systems
  • Unexpected outbound connections

SIEM Query:

source="oracle_affairwhere" AND (event_type="privilege_escalation" OR event_type="unusual_process")

📊 Metadata

CVE ID: CVE-2017-10396
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
Published: October 19, 2017
Last Updated: April 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON