CERTVU:953241Oracle Outside In Microsoft Access 1.x parser stack buffer overflow
1.5 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:S/C:N/I:N/A:P
0.037 Low
EPSS
Percentile
91.7%
Overview
Oracle Outside In contains a stack buffer overflow vulnerability in the Microsoft Access 1.x database file parser, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Oracle Outside In is a set of libraries that can decode over 500 different file formats. Originally written by Stellent, Outside In is now part of Oracle. The Oracle Outside In libraries are used by a variety of applications, including Microsoft Exchange, Google Search Appliance, Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise.
The Outside In library for processing Microsoft Access 1.x data contains a stack buffer overflow vulnerability (CWE-121). On Microsoft Windows platforms, this capability is provided by the library vsacs.dll. Versions older than 8.4.0.108 and 8.4.1.52 are affected.
Impact
By causing an application to process a specially-crafted file with the Oracle Outside In library, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the vulnerable application. Depending on what application is using Outside In, this may happen as the result of some user interaction, such as single-clicking on a file, or it may happen with no user interaction at all.
Solution
Apply an update
This vulnerability is addressed in the Oracle Fusion Middleware Critical Patch Update - October 2013. This update provides versions 8.4.0.108 and 8.4.1.52 of the Microsoft Access 1.x parsing library. Note that Oracle has indicated that Outside In versions older than 8.4.0 are no longer supported. Please also consider the following workarounds.
Use the Microsoft Enhanced Mitigation Experience Toolkit
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this and other vulnerabilities.
Enable DEP in Microsoft Windows
Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts “Understanding DEP as a mitigation technology” part 1 and part 2. DEP should be used in conjunction with the application of patches or other mitigations described in this document.
Note that when relying on DEP for exploit mitigation, it is important to use a system that supports Address Space Layout Randomization (ASLR) as well. ASLR is not supported by Windows XP or Windows Server 2003 or earlier. ASLR was introduced with Microsoft Windows Vista and Windows Server 2008. Please see the Microsoft SRD blog entry: On the effectiveness of DEP and ASLR for more details.
Vendor Information
953241
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
ACD Systems International __ Affected
Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
ACD Systems Canvas uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
AccessData __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
FTK uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Avantstar __ Affected
Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Quick View Plus uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Avira __ Affected
Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Avira Antivir for Exchange has been reported to use Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Cisco Systems, Inc. __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Cisco Security Agent uses Oracle Outside In to provide Data Loss Prevention (DLP) functionality.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Good Technology __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Good Technology no longer uses the Oracle Outside In
product, as of version 6.0.3.52 of the Good Mobile Messaging Server. Running
the Good Mobile Messaging Server (GMMS) does not expose any risk to the
user, as the GMMS does not make any calls to the Outside In software, thus
the Outside In application is never executed by GMMS.
Google __ Affected
Updated: April 01, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Google Search Appliance (GSA) uses Outside In. Google has indicated that they update Outside In when appropriate, but they have not indicated which GSA version may address this issue.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Guidance Software, Inc. __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Guidance Encase uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Hewlett-Packard Company __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
HP TRIM uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
IBM Corporation __ Affected
Notified: October 16, 2013 Updated: January 29, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
- <http://www-01.ibm.com/support/docview.wss?uid=swg21660640>
- <http://www-01.ibm.com/support/docview.wss?uid=swg21659215>
Addendum
IBM WebSphere Portal and ECM products including OmniFind Enterprise Edition use Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Kamel Software __ Affected
Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Kamel Fastlook uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Kroll Ontrack Inc __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Some Kroll Ontrack software, such as Ontrack EasyRecovery and PowerControls, uses Outside In to provide file viewing capabilities.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Lucion __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Lucion FileCenter uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
MarkLogic Corporation __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vulnerability no longer exists any any current version of MarkLogicServer, and users cannot download an affected version.
The updated versions of the server are available for download at
<http://developer.marklogic.com>.
Addendum
Oracle Outside In is provided with MarkLogic Server 4.0, 4.1, and 4.2. MarkLogic Server 5.0 does not provide the Oracle Outside In libraries, however.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
McAfee __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
McAfee GroupShield as well as Host Data Loss Prevention 9.0 and earlier use Outside In to provide file content filtering capabilities. Other versions may also be affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Microsoft Corporation __ Affected
Notified: October 16, 2013 Updated: December 10, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
Microsoft Exchange 2007, 2010, and 2013 use Oracle Outside In for its WebReady document viewing feature. By viewing a document with OWA WebReady, arbitrary code may execute on the Exchange server. Please see Microsoft Security Bulletin MS13-105 for updates. Microsoft FAST Search Server 2010 for SharePoint Parsing also uses Oracle Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
NewSoft America Inc __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Presto! PageManager uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Novell, Inc. __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Novell Groupwise uses Outside In for viewing email attachments.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Oracle Corporation Affected
Notified: September 11, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Paraben Corporation __ Affected
Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Limited testing has shown Paraben Device Seizure 4.3 to be vulnerable. Other versions may also be affected. Paraben has stopped using Outside In starting with version 4.5 build 4262.38310, and is therefore not affected with this and later versions.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Perlustro __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Perlustro ILook uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Raytheon __ Affected
Updated: April 28, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Raytheon SureView uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Stellent Affected
Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Symantec __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Symantec Enterprise Vault uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Windream gmbh __ Affected
Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
windream server uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
X1 Technologies Inc. __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
X1 Professional uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
kcura __ Affected
Notified: October 16, 2013 Updated: October 16, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
kCura Relativity uses Outside In.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Dell Computer Corporation, Inc. __ Unknown
Notified: October 16, 2013 Updated: October 16, 2013
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Some Dell printer software provides files from Outside In, but it is not clear if it is affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Lexmark International __ Unknown
Notified: October 16, 2013 Updated: October 16, 2013
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Some Lexmark printer software provides components from Outside In, but it is not clear if it is affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Motorola, Inc. Unknown
Notified: October 16, 2013 Updated: October 16, 2013
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Updated: October 16, 2013
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Sharp Electronics Corporation __ Unknown
Notified: October 16, 2013 Updated: October 16, 2013
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Sharp Sharpdesk provides some components from Outside In, but it is not clear if it is affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
Westlaw __ Unknown
Updated: October 16, 2013
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
West Publisher E-Transcript Bundle Viewer provides some components from Outside In, but it is not clear if it is affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23953241 Feedback>).
View all 33 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10.0 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.3 | E:F/RL:OF/RC:C |
| Environmental | 6.2 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html>
- <http://cwe.mitre.org/data/definitions/121.html>
Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Other Information
| CVE IDs: | CVE-2013-5791 |
|---|---|
| Date Public: | 2013-10-15 Date First Published: |
Related
1.5 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:S/C:N/I:N/A:P
0.037 Low
EPSS
Percentile
91.7%