It may not be the highest priority patch among the 89 released by Oracle yesterday in its July Critical Patch Update (CPU), but a fix for an Outside In Technology vulnerability in Oracle’s Fusion middleware merits some extra attention.
Oracle provides the technology in several of its products in order for developers to turn unstructured file formats such as Microsoft Office documents into normalized files. It’s also present in a couple of Microsoft Exchange features that expand the attack surface of the Exchange server, according to research released earlier this summer by CERT Coordination Center.
The two Exchange features impacted are WebReady and Data Loss Prevention on Exchange running on Windows Server 2003. Researcher Will Dormann said that Microsoft Exchange had previously provided only the file format parsers required by WebReady. That dynamic changed in current versions of Exchange where all the Outside In parsers are available. Dormann said he discovered the change as part of the development of the CERT Failure Observation Engine and CERT Basic Fuzzing Framework.
“I tested the latest versions of Outside In available from Oracle. Within approximately 5 minutes of fuzzing, I had a test case that demonstrated full control of the instruction pointer. I confirmed that a crashing test case from the Outside In fuzzing campaign can be used to achieve code execution on an Exchange server by way of WebReady,” Dormann wrote on the CERT blog. “The minimization-to-string feature in FOE and BFF made it pretty straightforward to make a PoC.”
Qualys CTO Wolfgang Kandek said the low CVSS score given to the bugs shouldn’t sway admins from taking a close look at the issue.
“Past Oracle Outside In patches have triggered new releases of Microsoft Exchange based on CVSS scores from as low as 2.1 to as high as 7.5, illustrating that they are fairly independent from the severity level of the vulnerability, but are related to the functional area patched,” Kandek told Threatpost via email. “The current patches have a fairly low score of 1.5, but could still trigger a new release if the vulnerabilities are in areas that Microsoft Exchange’s WebReady module exercises.”
Exchange 2013, for example, also uses Outside In for DLP, which if configured to scan for attachments, can be exploited via a malformed attachment, Dormann said, adding that he recommends disabling WebReady as the most effective mitigation, or if that’s impossible, then ensure that Exchange is running on Windows Server 2008 or later, which supports ASLR.
“[Dormann's] recent post about the Outside In modules shows that there are still flaws to be fixed and probably new flaws to be found with the application of document fuzzing,” Kandek said. “We have seen the impressive document fuzzing results in finding new vulnerabilities during in activities for Microsoft Office 2010 and more recently in Google efforts around PDF.”
The Outside In patches are among 21 Fusion bugs patched in the July CPU, 16 of those remotely exploitable without authentication, Oracle said. A number of Oracle Database patches were released that affect Fusion Middleware products that support Oracle Database components.
Six security patches were released for Oracle Database Server, one of which is remotely exploitable found in the Network Layer component. The highest priority database patch is for a vulnerability in the server’s XML parser. Two others are in the Core RDBMS and two more in the Oracle executable component.
Oracle also issued 18 patches for its MySQL Server, two vulnerabilities are remotely exploitable, Oracle said.
“MySQL is often found exposed to the Internet, even though this is not considered best practice. If you use MySQL in your organization, it makes sense to run a perimeter scan to collect information on all databases externally exposed,” Kandek said.
Managers of Oracle Sun products such as Solaris are also in for a busy patch cycle. Oracle released 16 patches, half of the vulnerabilities are remotely exploitable. Most of the vulnerabilities are in Solaris Server, but two are in Solaris Cluster and one in SPARC Enterprise M servers.
Eight remotely exploitable bugs were also patched among 10 patches for PeopleSoft Enterprise People tools
The next Oracle CPU is scheduled for Oct. 15, which will also include for the first time patches for the Java Runtime Environment.