I mentioned this vulnerability earlier this week in a podcast, but believe it deserves a bit more attention, in particular as exploits are now public, and a metasploit module appears in the works. Dana Taylor (NI @root) released details about the vulnerabilities first in her blog [1]. The post included quite a bit of details about respecitve vulnerabilities. Extended support for Oracle 10g ended July 2013 and a patch is not expected. If for some reason you are still running Oracle 10g or earlier, please check on possible workarounds or upgrade to 11g The vulnerabilities were assigned following CVE numbers CVE-2012-3153 - PARSEQUERY keymap vulnerabiilty Oracle details (requires login): https://support.oracle.com/rs?type=doc&id=279683.1 CVE-2012-3152 - URLPARAMETER code execution Please let us know if you have any workarounds to share, or if you have any logs showing exploit attempts. [1] http://netinfiltration.com
------ |
Johannes 4069 Posts ISC Handler Jan 30th 2014 |
Thread locked Subscribe |
Jan 30th 2014 7 years ago |
BTW, a metasploit remote code execution module will be live soon. https://github.com/rapid7/metasploit-framework/pull/2931
|
@Miss_Sudo 12 Posts |
Quote |
Jan 30th 2014 7 years ago |
Has Oracle released a patch for this?
|
@Miss_Sudo 2 Posts |
Quote |
Jan 30th 2014 7 years ago |
They released a patch for 11g. However, they recommended workarounds for older versions. They recommend upgrading to at least 11g. The low criticality rating they gave these means the patch and workarounds may not have been installed by a lot of dbas.
If you can see /reports/rwservlet/shomap it should be cause for concern. |
@Miss_Sudo 12 Posts |
Quote |
Jan 30th 2014 7 years ago |
Oracle Reports 10.1.2 is bundled with Oracle E-Business Suite R12.0, R12.1, and R12.2 (latest version). It is bundled in Oracle Application Server 10.1.2 (aka Oracle Fusion Middleware 10gR2).
If you are using Oracle Reports 10.1.2 in that context, it is supported: “Customers running Oracle Fusion Middleware 10gR2 and 10gR3 in the Oracle E-Business Suite version 12 internal technology stack will remain supported for the duration of the support period for Oracle E-Business Suite 12.” http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf Page 8 I looked for an MOS note describing how to upgrade E-Business Suite 12 to Oracle Reports 11gR1, but did not find one. As far as I know, it is not a supported configuration (yet). For companies running Oracle E-Business Suite 12, this is a VERY serious problem. It needs to be worked immediately by Oracle. |
Jeff 2 Posts |
Quote |
Feb 5th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!