Vulnerability Note VU#118913
Oracle Outside In contains multiple exploitable vulnerabilities
Original Release date: 17 Jul 2012 | Last revised: 15 Aug 2012
Overview
Oracle Outside In contains multiple exploitable vulnerabilities in its parsers, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Oracle Outside In is a set of libraries that can decode over 500 different file formats. Originally written by Stellent, Outside In is now part of Oracle. The Oracle Outside In libraries are used by a variety of applications, including Microsoft Exchange, Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise. Outside In 8.3.7.77 and earlier fail to properly handle multiple file types when the data is malformed. The file types that have vulnerable parsers are: .VSD, .WSD, .JP2, .DOC, .SXD, .LWP, .PCX, .SXI, .DPT, .PDF, .SAM, .ODG, and .CDR. |
Impact
By causing an application to process a specially-crafted file with the Oracle Outside In library, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the vulnerable application. Depending on what application is using Outside In, this may happen as the result of some user interaction, such as single-clicking on a file, or it may happen with no user interaction at all. |
Solution
Apply an update |
Use the Microsoft Enhanced Mitigation Experience Toolkit |
Vendor Information (Learn More)
Vendor | Status | Date Notified | Date Updated |
---|---|---|---|
AccessData | Affected | 15 Jul 2012 | 17 Jul 2012 |
ACD Systems International | Affected | - | 17 Jul 2012 |
Avantstar | Affected | - | 17 Jul 2012 |
Avira | Affected | - | 26 Jul 2012 |
Cisco Systems, Inc. | Affected | 15 Jul 2012 | 17 Jul 2012 |
Good Technology | Affected | - | 03 Aug 2012 |
Guidance Software, Inc. | Affected | 15 Jul 2012 | 17 Jul 2012 |
Hewlett-Packard Company | Affected | 15 Jul 2012 | 17 Jul 2012 |
IBM Corporation | Affected | 15 Jul 2012 | 17 Jul 2012 |
Kamel Software | Affected | - | 17 Jul 2012 |
kcura | Affected | 15 Jul 2012 | 17 Jul 2012 |
Kroll Ontrack Inc | Affected | 15 Jul 2012 | 17 Jul 2012 |
Lucion | Affected | 15 Jul 2012 | 17 Jul 2012 |
MarkLogic Corporation | Affected | 15 Jul 2012 | 17 Jul 2012 |
McAfee | Affected | 15 Jul 2012 | 17 Jul 2012 |
CVSS Metrics (Learn More)
Group | Score | Vector |
---|---|---|
Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Temporal | 7.8 | E:POC/RL:OF/RC:C |
Environmental | 6.7 | CDP:H/TD:M/CR:H/IR:H/AR:H |
References
- www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
- www.oracle.com/us/technologies/embedded/025613.htm
- www.oracle.com/us/corporate/Acquisitions/stellent/index.html
- support.microsoft.com/kb/2458544
- blogs.technet.com/b/srd/archive/2010/12/08/on-the-effectiveness-of-dep-and-aslr.aspx
- technet.microsoft.com/en-us/security/bulletin/ms12-058
Credit
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Other Information
- CVE IDs: CVE-2012-1766 CVE-2012-1767 CVE-2012-1768 CVE-2012-1769 CVE-2012-1770 CVE-2012-1771 CVE-2012-1772 CVE-2012-1773 CVE-2012-3106 CVE-2012-3107 CVE-2012-3108 CVE-2012-3109 CVE-2012-3110
- Date Public: 17 Jul 2012
- Date First Published: 17 Jul 2012
- Date Last Updated: 15 Aug 2012
- Document Revision: 40
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
This product is provided subject to this Notification and this Privacy & Use policy.
Was this document helpful? Yes | Somewhat | No