Skip to content
  • Register

    • Oracle Analytics Cloud and Server

    Home Oracle Analytics Oracle Analytics Forums Oracle Analytics Cloud and Server Oracle Analytics Cloud and Server

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Log In
    Register

    Quick Links

    Categories

    Welcome to the Oracle Analytics Community: Please complete your User Profile and upload your Profile Picture

    OBIEE 12.2.1.2 - XML entity expansion vulnerability

    Received Response
    21
    Views
    2
    Comments
    Rank 5 - Community Champion
    edited Aug 13, 2024 5:46PM in Oracle Analytics Cloud and Server

    Hi,

    We are using OBIEE 12.2.1.2.0 as the reporting for our application and we've had a third party company run a security scan and has come up with the following XML entity expansion vulnerability.

    The snippet below is of their response which resulted in the Dashboard crashing out with an error.  Is there a setting in OBIEE to disable entity expansion or protect against this?

    Any help would be great!

    Thansk in advance!

    Adrian

    ........

    3rd party company discovered that the application tested allowed for XML entity expansion. An attacker can submit an XML document and use the entity expansion to create an excessively large XML
    output. In the screenshot below, a new entity named, evil, was inserted into an existing DOCTYPE tag. POST /analytics/saw.dll?Dashboard HTTP/1.1 Host:<application host name>

    xml_entity_expansion.png

       
     
     
     
     
     
     
     
     
     
     
     





    Answers

    • Mod

      Isn't the system working correctly? You get an error telling you that there was an issue.

      "an attacker" : this attacker is working in your company, has a valid login and password and permissions to access the system and do things. In that case he will probably uses his access to get valuable data out of the system instead of playing with XML.

      If you want a official reply about your security concern you will have to go through a SR.

      PS: I guess I once read that those kind of tests against Oracle tools were against the licensing agreements, I just can't remember where I saw that and what was the context.

    • Rank 5 - Community Champion

      Hi Gianni,

      Thanks for your reply.

      Potentially yes it could break the system

      "XML entity expansion vulnerabilities occur because the XML specification allows XML documents to define entities that reference other entities defined within the document. This becomes an issue when the software
      uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), such as a DOCTYPE tag. If the DTD contains a large number of recursive entities, then the XML parser will require exponentially
      increasing amounts of memory and processor resources to process each level of entity recursion. This will result in a denial-of-service condition, causing the entire server or application to stop functioning and become unresponsive. "

      In this context the 'attacker' would be some one which is outside the company, doesn't have a valid username or password and has gained access to the browser with OBIEE session history and cookies.  Although I think in this case they would need to have logged into OBIEE first before they can manipulate the XML documents - this would be the case?

      Adrian

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Log In
    Register