Published:2018/07/18  Last Updated:2018/07/18

JVN#37376131
Multiple vulnerabilities in ORCA(Online Receipt Computer Advantage)

Overview

ORCA(Online Receipt Computer Advantage) provided by ORCA Management Organization Co., Ltd contains multiple vulnerabilities.

Products Affected

CVE-2018-0643

  • Ubuntu14.04 ORCA(Online Receipt Computer Advantage)4.8.0(panda-server) 1:1.4.9+p41-u4jma1 and earlier
CVE-2018-0644
  • Ubuntu14.04 ORCA(Online Receipt Computer Advantage)4.8.0(panda-client2) 1:1.4.9+p41-u4jma1 and earlier
  • Ubuntu14.04 ORCA(Online Receipt Computer Advantage)5.0.0(panda-client2) 1:2.0.0+p48-u4jma1 and earlier
  • Ubuntu16.04 ORCA(Online Receipt Computer Advantage)5.0.0(panda-client2) 1:2.0.0+p48-u5jma1 and earlier

Description

ORCA(Online Receipt Computer Advantage) provided by ORCA Management Organization Co., Ltd contains vulnerabilities listed below.

  • OS command injection (CWE-78) - CVE-2018-0643
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L Base Score: 4.1
    CVSS v2 AV:A/AC:M/Au:S/C:P/I:P/A:P Base Score: 4.9
  • Buffer overflow (CWE-119) - CVE-2018-0644
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Base Score: 5.5
    CVSS v2 AV:A/AC:L/Au:S/C:P/I:P/A:P Base Score: 5.2

Impact

The possible impact of each vulnerability is as follows:

CVE-2018-0643

  • A user with access to the network that is connected to the affected product may execute an arbitrary command on the product
CVE-2018-0644
  • If a user opens a specially crafted file while logged into the affected product, that may result in a denial-of-service (DoS) condition.

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
ORCA Management Organization Co., Ltd. Vulnerable 2018/07/18 ORCA Management Organization Co., Ltd. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

IoT x Security Hackathon 2016 all participants reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0643
CVE-2018-0644
JVN iPedia JVNDB-2018-000081