Blog
11.18.2020

CVE-2020-14864 Oracle Business Intelligence Enterprise Edition LFI

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

A Local File Inclusion vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Fusion Middleware (component: Installation). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.

A Directory Traversal vulnerability has been discovered in the 'getPreviewImage' function of Oracle Business Intelligence Enterprise Edition. The 'getPreviewImage' function is used to get a preview image of a previously uploaded theme logo. By manipulating the 'previewFilePath' URL parameter an attacker with access to the administration interface can read arbitrary system files.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 7.5 (High)

Affected Version

Supported versions that are affected are 5.5.0.0.0, 12.2.1.3.0 and 12.2.1.4.0.

Vulnerability Attribution

This issue was reported publicly by Ivo Palazzolo.

Risk Impact

Oracle Business Intelligence (BI) is a portfolio of technology and applications that provides Enterprise Performance Management System, including BI foundation and tools - integrated array of query, reporting, analysis, alerting, mobile analytics, data integration and management, etc.

Oracle BI is one of part of  Oracle Fusion Middleware which has a good market share of around 9% as per this link. Any exploit of this vulnerabilities could lead to exposure of all sensitive data that resides on the server, which could lead to leakage of proprietary information. Publicly available exploit of this vulnerability is available.

Virsec Security Platform (VSP) Support

The Virsec security platform (VSP)-Web capability can detect such a LFI attack and prevent this attack from being exploited.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Jump to: List of CVE Vulnerabilities

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.