Oracle’s Demantra, part of the company’s Value Chain Planning suite of software, is fraught with vulnerabilities according to several bug disclosures issued over the weekend.
Researchers at the London-based computer security firm Portcullis claim the application is plagued by a four vulnerabilities that could allow an attacker to extract sensitive information, carry out phishing attacks, and modify content within the application, among other attacks.
The first problem, a local file vulnerability (CVE: 2013-5877) in the app could let an attacker harvest useful information from the web.xml configuration file or “download the whole web application source code,” according to a warning published Saturday.
A SQL injection vulnerability (CVE: 2014-0372) in Demantra could allow an attacker to extract authentication credentials and personal details from the app, along with the ability to modify content. From there, if an attacker added malicious code, they could deliver malware or target other exploits in client browsers. The security firm claims modifying content might be a bit more difficult because the attacker would have to execute a “blind” SQL injection attack and request many pages to get it to work, but still says it “does not prevent exploitation.”
A cross site scripting vulnerability (CVE: 2014-0379) in the app’s TaskSender could let an attacker execute script code in an authenticated user’s browser, which could lead to session hijacking.
This might be the most troublesome of all the bugs because it can open up a whole can of worms on top of the session hijacking.
With those credentials an attacker could then access the site as that user and perform actions as them, such as viewing and changing personal data and making transactions. The vulnerability can also be leveraged in a phishing attack in which an attacker can create a fake log-in page and get a genuine user to log in without knowing the site had been compromised.
Portcullis notes that in a worst-case scenario the attacker could even gain full control of a user’s computer if they used the XSS vulnerability to exploit any further vulnerabilities in browsers.
The last big vulnerability, a problem with the app’s backend is something the firm calls a Database Credentials Disclosure vulnerability (CVE: 2013-5795) and can let anyone retrieve the database instance name and corresponding credentials. This means that they could combine this issue with some of the others to steal database credentials.
Oliver Gruskovnjak, the chief technical officer at Portcullis pointed out all the vulnerabilities on Saturday on the company’s site and via seclists.org’s Full Disclosure mailing lists.
All issues are present in version 12.2.1 of Demantra, an analytical engine that Oracle produces that allows its users to keep track of demand management, trade planning and sales/operation planning.
Oracle just patched Demantra in January as part of its quarterly Critical Patch Update (CPU), fixing six bugs in the app, four of which were remotely exploitable without authentication. While Oracle didn’t immediately respond to a request on Monday it’s probably safe to say the company is busy working on patching these issues for its next CPU scheduled for release on April 15.