Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Oracle Reports Vulnerability SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Oracle Reports Vulnerability

I mentioned this vulnerability earlier this week in a podcast, but believe it deserves a bit more attention, in particular as exploits are now public, and a metasploit module appears in the works.

Dana Taylor (NI @root) released details about the vulnerabilities first in her blog [1]. The post included quite a bit of details about respecitve vulnerabilities. Extended support for Oracle 10g ended July 2013 and a patch is not expected.

If for some reason you are still running Oracle 10g or earlier, please check on possible workarounds or upgrade to 11g

The vulnerabilities were assigned following CVE numbers 

CVE-2012-3153 - PARSEQUERY keymap vulnerabiilty

      Oracle details (requires login): https://support.oracle.com/rs?type=doc&id=279683.1

CVE-2012-3152 - URLPARAMETER code execution

Please let us know if you have any workarounds to share, or if you have any logs showing exploit attempts.

[1] http://netinfiltration.com

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3681 Posts
ISC Handler
BTW, a metasploit remote code execution module will be live soon. https://github.com/rapid7/metasploit-framework/pull/2931
@Miss_Sudo

12 Posts
Has Oracle released a patch for this?
@Miss_Sudo
2 Posts
They released a patch for 11g. However, they recommended workarounds for older versions. They recommend upgrading to at least 11g. The low criticality rating they gave these means the patch and workarounds may not have been installed by a lot of dbas.

If you can see /reports/rwservlet/shomap it should be cause for concern.
@Miss_Sudo

12 Posts
Oracle Reports 10.1.2 is bundled with Oracle E-Business Suite R12.0, R12.1, and R12.2 (latest version). It is bundled in Oracle Application Server 10.1.2 (aka Oracle Fusion Middleware 10gR2).

If you are using Oracle Reports 10.1.2 in that context, it is supported:

“Customers running Oracle Fusion Middleware 10gR2 and 10gR3 in the Oracle E-Business Suite version 12 internal technology stack will remain supported for the duration of the support period for Oracle E-Business Suite 12.”

http://www.oracle.com/us/support/library/lifetime-support-applications-069216.pdf

Page 8

I looked for an MOS note describing how to upgrade E-Business Suite 12 to Oracle Reports 11gR1, but did not find one. As far as I know, it is not a supported configuration (yet).

For companies running Oracle E-Business Suite 12, this is a VERY serious problem. It needs to be worked immediately by Oracle.
Jeff

2 Posts

Sign Up for Free or Log In to start participating in the conversation!