JVN#37376131: Multiple vulnerabilities in ORCA(Online Receipt Computer Advantage)

2018-07-18T00:00:00
ID JVN:37376131
Type jvn
Reporter Japan Vulnerability Notes
Modified 2018-07-18T00:00:00

Description

## Description

ORCA(Online Receipt Computer Advantage) provided by ORCA Management Organization Co., Ltd contains vulnerabilities listed below.

  • OS command injection* (CWE-78) - CVE-2018-0643* CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L | Base Score: 4.1
    ---|---|---
    CVSS v2 | AV:A/AC:M/Au:S/C:P/I:P/A:P | Base Score: 4.9
  • Buffer overflow (CWE-119) - CVE-2018-0644 CVSS v3 | CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L | Base Score: 5.5
    ---|---|---
    CVSS v2 | AV:A/AC:L/Au:S/C:P/I:P/A:P | Base Score: 5.2

## Impact

The possible impact of each vulnerability is as follows:

CVE-2018-0643

  • A user with access to the network that is connected to the affected product may execute an arbitrary command on the product CVE-2018-0644

  • If a user opens a specially crafted file while logged into the affected product, that may result in a denial-of-service (DoS) condition.

## Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

## Products Affected

CVE-2018-0643

  • Ubuntu14.04 ORCA(Online Receipt Computer Advantage)4.8.0(panda-server) 1:1.4.9+p41-u4jma1 and earlier CVE-2018-0644

  • Ubuntu14.04 ORCA(Online Receipt Computer Advantage)4.8.0(panda-client2) 1:1.4.9+p41-u4jma1 and earlier

  • Ubuntu14.04 ORCA(Online Receipt Computer Advantage)5.0.0(panda-client2) 1:2.0.0+p48-u4jma1 and earlier
  • Ubuntu16.04 ORCA(Online Receipt Computer Advantage)5.0.0(panda-client2) 1:2.0.0+p48-u5jma1 and earlier