Vulnerabilities in Oracle Reports Developer could allow remote code execution

ITS Advisory Number: 
2014-050
Date(s) Issued: 
Friday, May 30, 2014
Subject: 
Vulnerabilities in Oracle Reports Developer could allow remote code execution
Overview: 

Vulnerabilities have been discovered in Oracle Reports Developer. Oracle Reports Developer is an enterprise component of Oracle Fusion Middleware used to generate reports in the form of webpages. These vulnerabilities can be exploited by an attacker from an unauthenticated web browser.  Successful exploitation may allow an attacker to install programs; view, change, or delete data.

Exploits are publicly available and are being used on the Internet.

Systems Affected: 
  • Oracle Fusion Middleware 11.1.2.0  and older
  • Oracle Forms and Reports 10.x and older
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
N/A
Description: 

Vulnerabilities have been discovered in Oracle Reports Developer.  When exploited, these vulnerabilities  will allow remote attackers to affect confidentiality and integrity via attack vectors related to Report Server Component. The following vulnerabilities have been reported:

Exploits are publicly available and are being used on the Internet.

The exploits have been tested and confirmed in an isolated lab to allow read and write of files. It was concluded that:

Actions: 
  • Apply patches provided by Oracle after appropriate testing
  • Apply the principle of Least Privilege to all services
References: 
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html#AppendixFMW
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
Seclists:
http://seclists.org/fulldisclosure/2014/Jan/186
CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3152
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3153
Security Focus:
http://www.securityfocus.com/bid/55961
http://www.securityfocus.com/bid/55955