Introduction
In the course of a penetration test, performed under contract and conducted on a PaaS OAC instance of one of our customers, the researcher Davide Virruso, from the Offensive Security Team of Tinexta Cyber, identified the following four vulnerabilities:
- Authentication Bypass in XML Service
- Remote Code Execution by ScriptEngine injection
- Dom-based Cross-Site Scripting (https://www.oracle.com/security-alerts/cpujan2024.html)
- Unauthenticated blind Server-Side Request Forgery (SSRF)
Advisory
- https://www.oracle.com/security-alerts/cpuapr2024.html
- https://www.oracle.com/security-alerts/cpuapr2024verbose.html
Vulnerabilities – CVE-2024-21082 – Authentication Bypass in XML Service – CWE-304
| CVE-2024-21082 – Authentication Bypass in XMLPService | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Oracle BI Publisher | 7.0.0.0.0, 12.2.1.4.0 | 9.8 | Critical |
| OWASP CATEGORY | CWE | ||
| A07 – Identification and Authentication Failures | CWE-304 | ||
| AFFECTED ENDPOINT – AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | |||
Description
Through the exploitation of the webservice: XMLPservice, an unauthenticated user with network access via HTTP can compromise Oracle BI Publisher. The vulnerability allows the acquisition of BI Publisher user session tokens, solely through their email address. This leads to the potential for assuming control of the system, potentially even with administrative privileges. Obtaining session tokens, not only directly, impacts data confidentiality, integrity and availability but also exposes the instance to the possibility of remote command execution on the server via the vulnerability identified by CVE ID: CVE-2024-21083.
Owasp Category
A07 – Identification and Authentication Failures – Identification and authentication errors can occur when the functions related to identity, authentication, or user session management are not implemented correctly or are not adequately protected by an application. Attackers can exploit these errors by compromising passwords, keys, session tokens, or exploiting other implementation flaws to assume the identity of other users, either temporarily or permanently. Weak points in authentication may exist if the application:
- Allows automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
- Permits brute force or other automated attacks.
- Accepts default, weak, or well-known passwords, such as “Password1” or “admin/admin.”
- Uses weak or ineffective credential recovery processes and forgotten passwords, such as “knowledge-based answers,” which cannot be made secure.
- Exposes the session token in the URL.
- Reuses the session token after successful login.
- Does not properly invalidate session IDs. User sessions or authentication tokens (mainly Single Sign-On (SSO) tokens) are not correctly invalidated during logout or a period of inactivity.
- Provides session tokens to unauthenticated HTTP requests or those with partial authentication.
Vulnerabilities – CVE-2024-21083 – Remote Code Execution by ScriptEngine injection – CWE-94
| CVE-2024-21083 – Remote Code Execution by ScriptEngine injection | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Oracle BI Publisher | 7.0.0.0.0, 12.2.1.4.0 | 7.2 | High |
| OWASP CATEGORY | CWE | ||
| A03 – Injection | CWE-94 | ||
| AFFECTED ENDPOINT – AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | |||
Description
Through the exploitation of the webservice: PluginService, a BI Publisher user with elevated privileges can execute remote code on the hosting server instance, using the ScriptEngine component of the javax.script package. This occurs due to a lack of validation of user input and a missing sandboxing system during code evaluation, which allows for the execution of arbitrary Java code.
Owasp Category
A03 – Injection – Code injection can occur when untrusted input is injected into dynamically constructed code. One obvious source of potential vulnerabilities is the use of JavaScript from Java code. The javax.script package consists of interfaces and classes that define Java scripting engines and a framework for the use of those interfaces and classes in Java code. Misuse of the javax.script API permits an attacker to execute arbitrary code on the target system. The ScriptEngine api is available since the release of Java 6. It allow application to interact with script. In the event that the user manages to control a portion or the entirety of the script evaluation, they can interact fully with the JVM (by default).
Vulnerabilities – CVE-2024-21084 – Unauthenticated blind Server-Side Request Forgery – CWE-918
| CVE-2024-21084 – Unauthenticated blind Server-Side Request Forgery | |||
|---|---|---|---|
| PRODUCT LINE | VERSION | SCORE | IMPACT |
| Oracle BI Publisher | 7.0.0.0.0, 12.2.1.4.0 | 5.4 | Medium |
| OWASP CATEGORY | CWE | ||
| A10 – Server-Side Request Forgery (SSRF) | CWE-918 | ||
| AFFECTED ENDPOINT – AFFACTED PARAMETER | |||
| omitted | |||
| PREREQUISITES | |||
| No Special Configuration is required to reproduce the issue | |||
| CVSS VECTOR | |||
| AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N | |||
Description
During the analysis, a vulnerability of the unauthenticated blind server-side request forgery type was detected on the replytoXML and replyToXMLWithContext webservices. In this case, an unauthenticated user can prompt the server to execute requests using various protocols, including ftp:// , http://, and file://, targeting both internal and external servers or resources. Although this flaw may have a limited impact on Oracle BI Publisher itself, it could have serious consequences on other products, altering the scope of the risk.
Owasp Category
A010 – Server Side Request Forgery – In a Server-Side Request Forgery (SSRF) attack, an assailant exploits server functionality to access and manipulate internal resources. This is achieved by providing or altering a URL, which the server’s code interprets to either read or submit data. By meticulously selecting these URLs, the attacker can potentially access sensitive information, establish connections with internal services, or execute POST requests towards internal services that are not meant to be externally exposed. This type of attack poses a significant threat to server security, as it allows unauthorized access and manipulation of critical server-side functionalities. These types of attacks can involve the use of various protocols such as ftp://, http://, file://, gopher://, and more, expanding the range of potential vulnerabilities and magnifying the threat to server security.
Mitigation
In line with the vendor’s statements, it is recommended to update vulnerable products following the instructions provided within the April CPU: https://www.oracle.com/security-alerts/cpuapr2024.html
Timeline
- November 2023: Discovered by Davide Virruso of Tinexta Cyber.
- November 24, 2023: Reported via email to Oracle Security Alerts.
- April 16, 2024: Oracle publishes CPU.
- May 6, 2024: Tinexta Cyber publishes its advisory.
