Oracle Reports Vulnerability
I mentioned this vulnerability earlier this week in a podcast, but believe it deserves a bit more attention, in particular as exploits are now public, and a metasploit module appears in the works.
Dana Taylor (NI @root) released details about the vulnerabilities first in her blog [1]. The post included quite a bit of details about respecitve vulnerabilities. Extended support for Oracle 10g ended July 2013 and a patch is not expected.
If for some reason you are still running Oracle 10g or earlier, please check on possible workarounds or upgrade to 11g
The vulnerabilities were assigned following CVE numbers
CVE-2012-3153 - PARSEQUERY keymap vulnerabiilty
Oracle details (requires login): https://support.oracle.com/rs?type=doc&id=279683.1
CVE-2012-3152 - URLPARAMETER code execution
Please let us know if you have any workarounds to share, or if you have any logs showing exploit attempts.
[1] http://netinfiltration.com
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Online | US Eastern | Jan 27th - Feb 1st 2025 |
Comments
Anonymous
Jan 30th 2014
1 decade ago
Anonymous
Jan 30th 2014
1 decade ago
If you can see /reports/rwservlet/shomap it should be cause for concern.
Anonymous
Jan 30th 2014
1 decade ago
If you are using Oracle Reports 10.1.2 in that context, it is supported:
“Customers running Oracle Fusion Middleware 10gR2 and 10gR3 in the Oracle E-Business Suite version 12 internal technology stack will remain supported for the duration of the support period for Oracle E-Business Suite 12.”
http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf
Page 8
I looked for an MOS note describing how to upgrade E-Business Suite 12 to Oracle Reports 11gR1, but did not find one. As far as I know, it is not a supported configuration (yet).
For companies running Oracle E-Business Suite 12, this is a VERY serious problem. It needs to be worked immediately by Oracle.
Anonymous
Feb 5th 2014
1 decade ago