Vulnerabilities discovered by Aleksandar Nikolic. Blog post authored by Jaeson Schultz and Aleksandar Nikolic.
One of the most fundamental tasks performed by many software programs involves the reading, writing, and general processing of files. In today’s highly networked environments, files and the programs that process them can be found just about everywhere: FTP transfers, HTTP form uploads, email attachments, et cetera.
Because computer users interact with files of so many different varieties on such a regular basis, Oracle Corporation has designed tools to assist programmers with writing software that will support these everyday tasks: Outside In Technology (OIT). From the OIT website: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle. The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in this post, is severe because so many third-party products use Oracle’s OIT to parse and transform files. A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:
- Avira AntiVir for Exchange – antivirus protection for Microsoft Exchange
- IBM WebSphere Portal – provides enterprise web portals
- Google Search Appliance – search all content in an enterprise through a single search box
- Guidance Encase – forensic investigation software
- Microsoft Exchange – enterprise email and productivity software
- Novell Groupwise – a collaboration tool for large enterprise
- Raytheon SureView – software designed for enterprise visibility and user activity monitoring
- Veritas (Symantec) Enterprise Vault – a program for information governance through archiving
Fun Fact of the day: On a security conference some years ago, the discussion was about operating systems security. The discussion shifted to “Unbreakable Linux”which was released some years before and one of the participants mentioned/joked that anyone who is interested in security should never use Oracle products. Later I realized that he was from Microsoft. And at that time Windows Server 2003/2008 were the dominant server systems (which were, well, not always unbreakable … )