Major Enterprise Software Products Affected by Flaws in Oracle SDKs

A total of 18 vulnerabilities found by researchers in Oracle’s Outside In Technology libraries could expose the products of numerous major software vendors to attacks.

The Critical Patch Update released by Oracle on Tuesday patches a record-breaking 276 vulnerabilities, including 19 that have been rated critical. The list of flaws fixed by the software giant this week also includes 17 high severity issues affecting Outside In Technology (OIT), a Fusion Middleware suite of software development kits (SDKs) that can be used to extract, scrub, normalize, view and convert the content of roughly 600 unstructured file formats.

The security holes were reported by researchers at Cisco Talos, who have disclosed a total of 19 OIT vulnerabilities this year, two of which Oracle resolved with the Critical Patch Updates released in January and April. The flaws include arbitrary code execution, information leakage and denial-of-service (DoS) issues.

The main concern is that the OIT libraries are used in many third-party software products, including enterprise solutions from Avira, IBM, Google, Microsoft, Raytheon, HPE, Symantec and Novell.

Cisco has pointed out that it hasn’t checked if all the third-party products that use the SDKs are vulnerable to attacks, but the company has confirmed that some of them do run the affected code.

Experts noted that in some cases it would be really easy for a malicious actor to exploit these security holes. For example, the Outside In SDKs are used by Microsoft’s Exchange enterprise email and productivity solution. If the WebReady Document Viewing feature is enabled in Microsoft Exchange 2013 and earlier, an attacker can exploit the vulnerabilities simply by sending a malicious email attachment to the targeted user.

Avira AntiVir for Exchange is also affected. Since the application scans all inbound and outbound email, it’s enough to send or receive a malicious message to trigger the vulnerabilities.

An advisory published by the CERT Coordination Center in January describes several stack-based buffer overflow vulnerabilities found by a researcher in the Outside In library designed for processing WK4, Doc and Paradox DB files. CERT/CC reported at the time that the flaws had affected products from most of the vendors that leveraged the Oracle SDKs.

Cisco Talos has warned that it could take some time until the defects are patched in all the impacted products. Oracle has released patched SDKs, but it’s now up to the vendors that use them to provide updates to their customers.

“This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products,” Talos warned.

Related Reading: Attackers Can Hack Apple Devices Using Image Files

Related Reading: Code Execution Flaw Plagues Intel Graphics Driver

Related Reading: Hackers Can Exploit LibreOffice Flaw With RTF Files