CVE-2012-3152 & CVE-2012-3153 Scanner
Detects 'Remote Code Execution (RCE)' vulnerability in Oracle Reports Developer component in Oracle Fusion Middleware affects v. 11.1.1.4, 11.1.1.6, and 11.1.2.0.
Short Info
Level
Medium
Type
Single Scan
Can be used by
Asset Owner
Estimated Time
10 sec
Scan only one
Url
Parent Category
CVE-2012-3152 & CVE-2012-3153 Scanner Detail
The Oracle Reports Developer component is a part of the Oracle Fusion Middleware, which is an integrated platform that allows for the development, deployment, and management of applications. Specifically, the Reports Developer component is used for creating and generating reports that extract data from databases and present it in various formats. This can be used for a multitude of purposes, such as business intelligence, financial reporting, and analytics.
Two of the vulnerabilities that has been detected in the Oracle Reports Developer component are CVE-2012-3152 and CVE-2012-3153. These vulnerabilities allows remote attackers to affect the confidentiality and integrity of the system by exploiting unknown vectors related to the Report Server Component. The precise details of the vectors have not been disclosed, but it has been documented that the URLPARAMETER functionality allows remote attackers to read and upload arbitrary files to reports/rwservlet. This issue has been found to occur in earlier versions of the Reports Developer component as well.
Exploiting this vulnerability can lead to numerous consequences, including data theft and loss, unauthorized access to sensitive information, and the possibility of arbitrary code execution. By uploading a .jsp file, attackers can execute arbitrary code on the affected system, allowing them to gain further access and control over it.
Thanks to the pro features of the securityforeveryone.com platform, users can easily and quickly learn about vulnerabilities in their digital assets. Our platform provides comprehensive vulnerability scanning and reporting, as well as expert guidance and support, to ensure that your systems are fully protected against the latest threats. With securityforeveryone.com, you can rest assured that your data and systems are in safe hands.
REFERENCES
- http://blog.netinfiltration.com/2013/11/03/oracle-reports-cve-2012-3152-and-cve-2012-3153/
- http://blog.netinfiltration.com/2014/01/19/upcoming-exploit-release-oracle-forms-and-reports-11g/
- http://seclists.org/fulldisclosure/2014/Jan/186
- http://www.exploit-db.com/exploits/31253
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:150
- http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
- http://www.securityfocus.com/bid/55961
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79296
control security posture