Oracle BI Publisher Mobile Service Unspecified Remote Information Disclosure (July 2014 CPU)

2014-07-2300:00:00

www.tenable.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.888 High

EPSS

Percentile

98.7%

JSON

The remote Oracle Business Intelligence Publisher install is affected by an unspecified information disclosure vulnerability related to the ‘Mobile Service’ component.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(76709);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2014-4249");
  script_bugtraq_id(68605);

  script_name(english:"Oracle BI Publisher Mobile Service Unspecified Remote Information Disclosure (July 2014 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an unspecified remote information
disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Business Intelligence Publisher install is affected
by an unspecified information disclosure vulnerability related to the
'Mobile Service' component.");
  # https://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77697fb1");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the July 2014 Oracle Critical
Patch Update advisory.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-4249");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/07/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/07/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/23");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence_publisher");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2014-2022 Tenable Network Security, Inc.");

  script_dependencies("oracle_bi_publisher_installed.nbin");
  script_require_keys("installed_sw/Oracle Business Intelligence Publisher");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("install_func.inc");
include("byte_func.inc");
include("bsal.inc");
include("zip.inc");

appname = "Oracle Business Intelligence Publisher";

get_kb_item_or_exit("installed_sw/" + appname);

if (get_kb_item("SMB/not_windows")) audit(AUDIT_OS_NOT, "Windows");

installs = get_installs(app_name:appname);

if (installs[0] == IF_NOT_FOUND) audit(AUDIT_NOT_INST, appname);

report = '';

install = branch(installs[1]);

path = install['path'];
version = install['version'];

if (version !~ "^11\.1\.1\.7(\.0)?$") audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);

name    =  kb_smb_name();
port    =  kb_smb_transport();
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

# Try to connect to server.
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);

session_init(socket:soc, hostname:name);

ear_file = hotfix_append_path(path:path, value:"bifoundation\jee\bimad.ear");

share = ereg_replace(string:ear_file, pattern:"^([A-Za-z]):.*", replace:"\1$");
path = ereg_replace(string:ear_file, pattern:"^[A-Za-z]:(.*)", replace:"\1");
NetUseDel(close:FALSE);

# Connect to the share software is installed on.
rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  audit(AUDIT_SHARE_FAIL, share);
}

fh = CreateFile(
  file:path,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);

# only installs with mobile app developer will have this file
if (!fh)
{
  NetUseDel();
  audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);
}

res = zip_parse(smb:fh);

# cleanup
CloseFile(handle:fh);
NetUseDel();

if (isnull(res)) exit(1, "Unable to parse '" + ear_file + "'.");

ts = res['files']['bimad.war']['timestamp'];

if (!ts) exit(1, "Unable to obtain timestamp of 'bimad.war' inside '" + ear_file + "'.");

item = pregmatch(pattern:"^(\d{4}-\d{2}-\d{2}) ", string:ts);
if (isnull(item) || isnull(item[1])) exit(1, "Unexpected error parsing timestamp '" + ts + "'");

fix_ts = "2014-05-31";
if (
  ver_compare(ver:str_replace(find:"-", replace:".", string:item[1]),
               fix:str_replace(find:"-", replace:".", string:fix_ts),
               strict:FALSE) == -1
)
{
  if (report_verbosity > 0)
  {
    report = '\n  Unpatched File        : ' + ear_file +
             '\n  \'bimad.war\' timestamp : ' + ts +
             '\n  Fixed timestamp       : ' + fix_ts + '\n';

    security_warning(extra:report, port:port);
  }
  else security_warning(port);
}
else audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);

VendorProductVersionCPE
oraclefusion_middlewarecpe:/a:oracle:fusion_middleware
oraclebusiness_intelligence_publishercpe:/a:oracle:business_intelligence_publisher