OBIEE 12.2.1.2 - XML entity expansion vulnerability

Question

Hi,

We are using OBIEE 12.2.1.2.0 as the reporting for our application and we've had a third party company run a security scan and has come up with the following XML entity expansion vulnerability.

The snippet below is of their response which resulted in the Dashboard crashing out with an error.  Is there a setting in OBIEE to disable entity expansion or protect against this?

Any help would be great!

Thansk in advance!

Adrian

........

3rd party company discovered that the application tested allowed for XML entity expansion. An attacker can submit an XML document and use the entity expansion to create an excessively large XML
output. In the screenshot below, a new entity named, evil, was inserted into an existing DOCTYPE tag. POST /analytics/saw.dll?Dashboard HTTP/1.1 Host:<application host name>

OracleUser_MUC6U · Answer

Hi Gianni,

Thanks for your reply.

Potentially yes it could break the system

"XML entity expansion vulnerabilities occur because the XML specification allows XML documents to define entities that reference other entities defined within the document. This becomes an issue when the software
uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), such as a DOCTYPE tag. If the DTD contains a large number of recursive entities, then the XML parser will require exponentially
increasing amounts of memory and processor resources to process each level of entity recursion. This will result in a denial-of-service condition, causing the entire server or application to stop functioning and become unresponsive. "

In this context the 'attacker' would be some one which is outside the company, doesn't have a valid username or password and has gained access to the browser with OBIEE session history and cookies.  Although I think in this case they would need to have logged into OBIEE first before they can manipulate the XML documents - this would be the case?

Adrian

Gianni Ceresa · Answer

Isn't the system working correctly? You get an error telling you that there was an issue.

"an attacker" : this attacker is working in your company, has a valid login and password and permissions to access the system and do things. In that case he will probably uses his access to get valuable data out of the system instead of playing with XML.

If you want a official reply about your security concern you will have to go through a SR.

PS: I guess I once read that those kind of tests against Oracle tools were against the licensing agreements, I just can't remember where I saw that and what was the context.