Oracle SDK Flaws Target Major Software Products

Oracle’s Outside In Technology libraries found to contain 18 vulnerabilities which can result in major software cyberattacks.

The dangerous Patch Update goes with the record-worthy impressive amount of 276 vulnerabilities, 19 of which critical. It was released by Oracle on July 19. The company has mended 17 issues affecting Outside In Technology (OIT), a Fusion Middleware suite of software development kits (SDKs). The kits can extract, scrub, normalize, view and convert more than 600 unstructured file formats.

The flaws were first detected by Cisco Talos researchers, who have exposed 19 OIT vulnerabilities this year. Oracle patched two of them with the Critical Patch Updates in January and April. The flaws include arbitrary code execution, information leakage and denial-of-service (DoS) issues.

The biggest problem is that many software enterprises, including Google, Microsoft, IBM, Symantec, HPE, Avira, Novell and Raytheon, use these OITs for software production. It is not clear yet if all of them are vulnerable, but it is confirmed that at least some run the infection in their products.

According to experts, cybercriminals will not find it difficult to exploit these security holes. For instance, Microsoft’s Exchange enterprise uses the Outside In SDKs and if the WebReady Document Viewing feature is enabled in version 2013 or earlier, all it takes is a malicious email attachment to infect the target. The same is the situation with Avira AntiVir, which is also affected.

CERT Coordination Center reported in January that a researcher found several stack-based buffer overflow flaw created to process WK4, Doc and Paradox DB files. CERT/CC also adds that the majority of vendors using the Oracle SDKs has already been affected.

Patching all the affected products will be a long process, as Cisco Talos states.

“This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products,” Talos says.

Although patched SDK`s have already been released by Oracle, it`s all now in the vendors` hands who have to make sure their customers have the updates.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.