Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft Exchange/Sharepoint and others: Oracle Outside In Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Exchange/Sharepoint and others: Oracle Outside In Vulnerability

Microosft published an unusual knowledge base article today, warning users of certain versions of Microsoft Exchange and Sharepoint server of a remote code execution vulnerability introduced by Oracle's  "Outside In" libraries that are included with these products. [1]

Affected Products:

Microsoft Exchange Server 2007
Microsoft Exchange Server 2010
FAST Search Server 2010 for Sharepoint

Oracle provided a patch for this issue in it's July patch release [2]. The issue si covered by Oracles "Fusion Middleware" fix. Outside in library version 8.3.7.77 and earlier is vulnerable. The fixed version is 8.3.7.171 (US Cert also mentions 8.3.5.6369 as fixed).

As a work around, you could disable the transcoding service, but it will no longer allow you to preview attachments. Or you could disable the advanced filter pack on FAST Search Server 2010 for SharePoint. 

Oracle's "Outdside In" libraries are able to decode over 500 different file formats [3]. The libraries are used to be able to index content inside files like PDFs and other common file types. 

It is very likely, that not only Microsoft's software is including this library. US-CERT provides a list of software that they identified.

[1] http://technet.microsoft.com/en-us/security/advisory/2737111
[2] http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
[3] http://www.kb.cert.org/vuls/id/118913

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SIEM Summit & Training 2019

Johannes

3631 Posts
ISC Handler
Not to be picky but you missed an S in SharePoint "Search Server 2010 for harePoint."
PW

63 Posts
Note that exploits are publicly available!

Based on [3] above I conducted some research on possible other (non-Microsoft) vulnerable applications that use the affected Oracle Outside In libraries.

This appears to include commonly used apps as ACDSee, Quick View Plus, McAfee Groupshield, Novell GroupWise, various "paperless office" apps, but also forensics software such as EnCase and FTK (see also: http://computer-forensics.sans.org/blog/2010/04/27/arbitrary-code-execution-examiner-systems-file-corruption).

Some more details (in Dutch, but English-only readers probably get the idea) can be found in http://www.security.nl/artikel/42384/1/Microsoft_waarschuwt_voor_Oracle-lek_in_Exchange.html - look for the gray rectangles in my second comment.
Erik van Straten

122 Posts
Noteworthy is perhaps that US-CERT warned Microsoft (on 26 Mar 2012!) for multiple exploitable vulnerabilities in "Oracle Outside In" as used in the "WebReady document viewing feature" in Microsoft Exchange 2007 and 2010.

Apparently the Microsoft-Oracle battle results in security negligence affecting lots of Microsoft customers?

See also Jürgen Schmidt's -German- comment in http://www.heise.de/security/meldung/Microsoft-warnt-vor-Oracle-Luecken-in-Exchange-und-Sharepoint-1652251.html (probaly soon to appear -in English0 on http://www.h-online.com/).
Erik van Straten

122 Posts
Novell GroupWise also used these libraries.
AndrewB

24 Posts

Sign Up for Free or Log In to start participating in the conversation!