Vulnerabilities > CVE-2014-2424 - Remote Code Execution vulnerability in Oracle Fusion Middleware 11.1.1.7.0

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

oracle

exploit available

metasploit

NVD

Published: 2014-04-16

Updated: 2014-07-24

Summary

Unspecified vulnerability in the Oracle Event Processing component in Oracle Fusion Middleware 11.1.1.7.0 allows remote authenticated users to affect integrity via vectors related to CEP system.

Vulnerable Configurations

Part	Description	Count
Application	Oracle Oracle Fusion Middleware 11.1.1.7.0	1

Exploit-Db

description	Oracle Event Processing FileUploadServlet Arbitrary File Upload. CVE-2014-2424. Remote exploit for windows platform
file	exploits/windows/remote/33989.rb
id	EDB-ID:33989
last seen	2016-02-03
modified	2014-07-07
platform	windows
port	9002
published	2014-07-07
reporter	metasploit
source	https://www.exploit-db.com/download/33989/
title	Oracle Event Processing FileUploadServlet Arbitrary File Upload
type	remote

Metasploit

description	This module exploits an arbitrary file upload vulnerability in Oracle Event Processing 11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be abused to upload a malicious file onto an arbitrary location due to a directory traversal flaw, and compromise the server. By default Oracle Event Processing uses a Jetty Application Server without JSP support, which limits the attack to WbemExec. The current WbemExec technique only requires arbitrary write to the file system, but at the moment the module only supports Windows 2003 SP2 or older.
id	MSF:EXPLOIT/WINDOWS/HTTP/ORACLE_EVENT_PROCESSING_UPLOAD
last seen	2020-06-02
modified	2017-07-24
published	2014-06-29
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2424 http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/oracle_event_processing_upload.rb
title	Oracle Event Processing FileUploadServlet Arbitrary File Upload

Packetstorm

data source	https://packetstormsecurity.com/files/download/127365/oracle_event_processing_upload.rb.txt
id	PACKETSTORM:127365
last seen	2016-12-05
published	2014-07-06
reporter	rgod
source	https://packetstormsecurity.com/files/127365/Oracle-Event-Processing-FileUploadServlet-Arbitrary-File-Upload.html
title	Oracle Event Processing FileUploadServlet Arbitrary File Upload

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Packetstorm

References