Dana Taylor, a researcher and information security specialist with the University of Pennsylvania, has publically disclosed the details of three security vulnerabilities in Oracle Corp.'s Forms and Reports software components, and criticized the Redwood City, Calif.-based company for its lackluster response to her private disclosures.
Though the severity of the vulnerabilities is disputed, they could enable an attacker to gain access to a variety of sensitive files, and if combined with other vulnerabilities, could reportedly put an entire network at risk.
Forms and Reports are both components of Oracle Fusion Middleware, the database giant's package of software add-ons for building and integrating custom functionality with its core database software. The flaws are specific to 11.1 versions of Fusion Middleware. As of September 2013, Oracle reported 115,000 Fusion Middleware customers, though it's unclear how many use Forms or Reports.
In a new blog post detailing her actions, first reported by CSO, Taylor wrote that she originally contacted Oracle about the first vulnerability, which reportedly allows an unauthenticated Web browser to dump database passwords, in April of 2011. She said Oracle responded that the vulnerability was in fact a "configuration error."
In October of 2011, Taylor reported another, more severe vulnerability, which could allow an unauthenticated Web browser to view a server's file system and use the same permissions as an Oracle account to access files, including the .ssh folder. With a Secure Shell (SSH) key in hand, attackers could then access other servers without authentication. Worse, the vulnerability could turn a compromised server into a proxy to enter private networks and access other servers, even those behind firewalls.
Taylor also said she shared the second vulnerability with a vetted security list, and the Information Security Office at the University of Texas at Austin then discovered a way to plant files on a server via the security flaw.
After the second disclosure, Oracle did recognize the implications of Taylor's findings, but she was eventually left unsatisfied by the company's response, which included workarounds and a software update for version 11g of the affected software. Oracle also rated the vulnerabilities with a Common Vulnerability Scoring System of 6.4, a score Tayler thought was too low to convince enterprises to implement the necessary fixes.
"I continued to receive monthly status updates until they finally released the 'patch,'" said Taylor in her blog post. "Actually, they didn't release a patch, they simply did a code rewrite for version 12.x and released documentation for workarounds that likely didn't get implemented due to the low priority these vulnerabilities were given."
As part of the disclosure, Oracle asked Taylor to provide the My Oracle Support notes detailing the workarounds the company had provided (CVE-2012-3152 and CVE-2012-3153) and emphasized that version 10g of the affected software is unsupported. Oracle recommended customers affected by the issues should upgrade to version 11g.
"As you can see by Oracle's response, they are willing to let older versions of the software remain vulnerable if workarounds were not put in place," Taylor commented.
Though Taylor had not planned to release the exploit technique for the vulnerabilities, Oracle's response in this case motivated her to "hold vendors responsible" both for protecting consumers and assigning vulnerabilities a "proper criticality rating." She now plans to hand the exploits over to Rapid7, the vulnerability assessment vendor behind the popular Metasploit framework.
"I was really hoping Oracle would respond that they would go ahead and release patches for older versions, but that didn't happen," Taylor said in the blog post. "Perhaps this will be a lesson to them to treat serious vulnerabilities seriously."
At press time, Oracle had not responded to a SearchSecurity request for comment.