My next class:

Oracle Reports Vulnerability

Published: 2014-01-30. Last Updated: 2014-01-30 01:28:56 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

I mentioned this vulnerability earlier this week in a podcast, but believe it deserves a bit more attention, in particular as exploits are now public, and a metasploit module appears in the works.

Dana Taylor (NI @root) released details about the vulnerabilities first in her blog [1]. The post included quite a bit of details about respecitve vulnerabilities. Extended support for Oracle 10g ended July 2013 and a patch is not expected.

If for some reason you are still running Oracle 10g or earlier, please check on possible workarounds or upgrade to 11g

The vulnerabilities were assigned following CVE numbers 

CVE-2012-3153 - PARSEQUERY keymap vulnerabiilty

      Oracle details (requires login): https://support.oracle.com/rs?type=doc&id=279683.1

CVE-2012-3152 - URLPARAMETER code execution

Please let us know if you have any workarounds to share, or if you have any logs showing exploit attempts.

[1] http://netinfiltration.com

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: cpu oracle patch
4 comment(s)
My next class:

Comments

BTW, a metasploit remote code execution module will be live soon. https://github.com/rapid7/metasploit-framework/pull/2931
Has Oracle released a patch for this?
They released a patch for 11g. However, they recommended workarounds for older versions. They recommend upgrading to at least 11g. The low criticality rating they gave these means the patch and workarounds may not have been installed by a lot of dbas.

If you can see /reports/rwservlet/shomap it should be cause for concern.
Oracle Reports 10.1.2 is bundled with Oracle E-Business Suite R12.0, R12.1, and R12.2 (latest version). It is bundled in Oracle Application Server 10.1.2 (aka Oracle Fusion Middleware 10gR2).

If you are using Oracle Reports 10.1.2 in that context, it is supported:

“Customers running Oracle Fusion Middleware 10gR2 and 10gR3 in the Oracle E-Business Suite version 12 internal technology stack will remain supported for the duration of the support period for Oracle E-Business Suite 12.”

http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf

Page 8

I looked for an MOS note describing how to upgrade E-Business Suite 12 to Oracle Reports 11gR1, but did not find one. As far as I know, it is not a supported configuration (yet).

For companies running Oracle E-Business Suite 12, this is a VERY serious problem. It needs to be worked immediately by Oracle.

Diary Archives