A new zero-day vulnerability, CVE-2020-14723, was discovered by Cyber Security Works in Oracle Help Technologies related to the Web UIX component. CVE-2020-14723 has a base score of 5.8 and an exploitability score of 8.6 in the CVSSv2 vulnerability severity scale. This vulnerability was discovered in our research lab on January 11, 2020, and we found that it has affected geographic locations such as the United States, Ireland, Germany, Netherlands, and Brazil.
You can use the following script to detect this vulnerability –
Python 2.7+ Required
Multi os support
- Python pip install -r requirements.txt – Please install necessary modules
- Scanning IPs have to be added in a text file saved as IP.txt under the same script executing folder.
- Payloads.txt – The default text file has to be present in the same folder and if users want to check with other payload types for Firewall bypass they can add in this file as per need.
- Once both the txt are present, The script can be executed directly from the command line Python Oracle.py
- The script will send an HTTP request to the IPs present in the IP list file and examine the response for the presence of the vulnerability.
- Post the validation and completion of the script for the list of IPs provided, an excel file will be generated automatically with the output – Results.xls
- The Generated Excel Sheet will have the details of the vulnerable and not vulnerable hosts for the CVE-2020-14723.
Vulnerability Detection
CVE-2020-14723 was detected using an IAST tool to capture the Request, which showed that a simple payload reflects in Response.
Disclosure
The vulnerability was disclosed to Oracle in January 2020. The vendor responded and released a patch in June 2020 to mitigate this vulnerability.
Timeline
Date | Description |
Jan 11, 2020 | Discovered in our research lab |
Jan 12, 2020 | Reported to Oracle |
Jun 23, 2020 | Oracle notified that the issue is addressed in the main code line and scheduled a future CPU – Critical Patch Update Releases. |
Jul 14, 2020 | The date of public disclosure |
Jul 15, 2020 | Published in NVD |
Jul 20, 2020 | Last modified on NVD |
Incident Analysis
The CVE-2020-14723 allows an unauthenticated user to insert a malicious JavaScript on the help page. Whenever a user clicks on a Print page option, the script will be executed as part of the current user browser context.
Vendor | Product | Versions |
Oracle | Help Technologies | 11.1.1.9.0, 12.2.1.3.0 |
Vulnerability Analysis
CVE-2020-14723 is a vulnerability in the Oracle Help Technologies product of Oracle Fusion Middleware (component: Web UIX). Supported versions that are affected are 11.1.1.9.0 and 12.2.1.3.0.
Proof of Concept
Product | Oracle Web Content Management |
Product Version | 12.2.1.3.0 |
Privilege | Any user who has access to the Help Page |
Request Type | GET |
Vulnerable URL | http://localhost/_ocsh/help/state?navSetId=help_for_translation_dc_template_editor_en_dcted_html_l10n_dcted_hlpbk&navId=0&locale=en844&destination= |
Vulnerable Parameter | locale |
Steps to Reproduce:
Step 1: Click on the Help docs page in the Oracle Web content.
Step 2: Navigate to any of the help topics shown below and intercept using the proxy tool (Burp).
Step 3: Capturing the Request and a simple Payload reflects in the Response without sanitization.
Step 4: While triggering the Print page event, the payload gets stored and is assigned with the path URL. Whenever the user clicks the print page, the payload will be automatically executed in the user’s browser.
Mitigation
Oracle recommends that customers apply the Critical Patch Update July 2020 to the Oracle Database components of Oracle Fusion Middleware products. Click this link for the patch updates: https://www.oracle.com/security-alerts/cpujul2020.html
Impact
If this vulnerability is exploited successfully, it may result in the blocking of network protocols and may break application functionality. It may also result in unauthorized access to critical data, complete access to Oracle Help Technologies’ accessible data, unauthorized updates (insert or delete access to Oracle Help Technologies accessible data).
Recommendation
Based on the CSW team’s recommendations, Oracle strongly advised its customers to remain on actively supported versions and apply critical security patches without delay.