Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Application Security

Major Enterprise Software Products Affected by Flaws in Oracle SDKs

A total of 18 vulnerabilities found by researchers in Oracle’s Outside In Technology libraries could expose the products of numerous major software vendors to attacks.

A total of 18 vulnerabilities found by researchers in Oracle’s Outside In Technology libraries could expose the products of numerous major software vendors to attacks.

The Critical Patch Update released by Oracle on Tuesday patches a record-breaking 276 vulnerabilities, including 19 that have been rated critical. The list of flaws fixed by the software giant this week also includes 17 high severity issues affecting Outside In Technology (OIT), a Fusion Middleware suite of software development kits (SDKs) that can be used to extract, scrub, normalize, view and convert the content of roughly 600 unstructured file formats.

The security holes were reported by researchers at Cisco Talos, who have disclosed a total of 19 OIT vulnerabilities this year, two of which Oracle resolved with the Critical Patch Updates released in January and April. The flaws include arbitrary code execution, information leakage and denial-of-service (DoS) issues.

The main concern is that the OIT libraries are used in many third-party software products, including enterprise solutions from Avira, IBM, Google, Microsoft, Raytheon, HPE, Symantec and Novell.

Cisco has pointed out that it hasn’t checked if all the third-party products that use the SDKs are vulnerable to attacks, but the company has confirmed that some of them do run the affected code.

Experts noted that in some cases it would be really easy for a malicious actor to exploit these security holes. For example, the Outside In SDKs are used by Microsoft’s Exchange enterprise email and productivity solution. If the WebReady Document Viewing feature is enabled in Microsoft Exchange 2013 and earlier, an attacker can exploit the vulnerabilities simply by sending a malicious email attachment to the targeted user.

Avira AntiVir for Exchange is also affected. Since the application scans all inbound and outbound email, it’s enough to send or receive a malicious message to trigger the vulnerabilities.

Advertisement. Scroll to continue reading.

An advisory published by the CERT Coordination Center in January describes several stack-based buffer overflow vulnerabilities found by a researcher in the Outside In library designed for processing WK4, Doc and Paradox DB files. CERT/CC reported at the time that the flaws had affected products from most of the vendors that leveraged the Oracle SDKs.

Cisco Talos has warned that it could take some time until the defects are patched in all the impacted products. Oracle has released patched SDKs, but it’s now up to the vendors that use them to provide updates to their customers.

“This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products,” Talos warned.

Related Reading: Attackers Can Hack Apple Devices Using Image Files

Related Reading: Code Execution Flaw Plagues Intel Graphics Driver

Related Reading: Hackers Can Exploit LibreOffice Flaw With RTF Files

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.