CVE-2020-14864: Oracle Business Intelligence Enterprise Edition LFI
Virsec Security Research Lab Vulnerability Report
The Virsec Security Research Lab, helmed by Virsec CTO, Satya Gupta, provides timely, relevant analysis about prevalent security vulnerabilities.
1.1 Vulnerability Summary
A Local File Inclusion vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.
A Directory Traversal vulnerability has been discovered in the ‘getPreviewImage’ function of Oracle Business Intelligence Enterprise Edition. The ‘getPreviewImage’ function is used to get a preview image of a previously uploaded theme logo. By manipulating the ‘previewFilePath’ URL parameter an attacker with access to the administration interface can read arbitrary system files.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base Score is 7.5 (High)
1.3 Affected Version
Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0.
1.4 Vulnerability Attribution
This issue was reported publicly by Ivo Palazzolo.
1.5 Risk Impact
Oracle Business Intelligence (BI) is a portfolio of technology and applications that provides Enterprise Performance Management System, including BI foundation and tools – integrated array of query, reporting, analysis, alerting, mobile analytics, data integration and management, etc.
Oracle BI is one of part of Oracle Fusion Middleware which has a good market share of around 9% as per this link. Any exploit of this vulnerabilities could lead to exposure of all sensitive data that resides on the server, which could lead to leakage of proprietary information. Publicly available exploit of this vulnerability is available.
1.6 Virsec Security Platform (VSP) Support:
The Virsec security platform (VSP)-Web capability can detect such a LFI attack and prevent this attack from being exploited.
1.7 Reference Links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-14864
- https://packetstormsecurity.com/files/159748/Oracle-Business-Intelligence-Enterprise-Edition-5.5.0.0.0-12.2.1.3.0-12.2.1.4.0-LFI.html
Download the full vulnerability report to learn more about this and other important vulnerabilities.
The post CVE-2020-14864: Oracle Business Intelligence Enterprise Edition LFI appeared first on Virsec Systems.
*** This is a Security Bloggers Network syndicated blog from Blog – Virsec Systems authored by Satya Gupta. Read the original post at: https://virsec.com/cve-2020-14864-oracle-business-intelligence-enterprise-edition-lfi/
