Oracle Business Intelligence Convert XXE CVE-2019-2767
Description
The Convert servlet in Oracle Business Intelligence Enterprise Edition (OBIEE) contains an XML External Entity (XXE) injection vulnerability tracked as CVE-2019-2767. This flaw occurs when the application processes XML input without properly disabling external entity references, allowing unauthenticated remote attackers to exploit the XML parser by submitting specially crafted XML payloads. Successful exploitation can lead to unauthorized file disclosure, server-side request forgery (SSRF), or denial-of-service conditions.
Remediation
Apply the Oracle Critical Patch Update released in July 2019, which addresses CVE-2019-2767. Follow these steps to remediate the vulnerability:
1. Immediate Action:
- Review Oracle's Critical Patch Update Advisory for July 2019 to identify the specific patch applicable to your OBIEE version
- Schedule and apply the security patch following Oracle's installation guidelines
- Test the patch in a non-production environment before deploying to production systems
2. Verification:
- After patching, verify that the Convert servlet properly rejects malicious XML payloads containing external entity references
- Review application logs for any suspicious XML processing activity prior to patching
3. Defense in Depth (if immediate patching is not possible):
- Implement network-level controls to restrict access to the Convert servlet endpoint
- Deploy a Web Application Firewall (WAF) with rules to detect and block XXE attack patterns
- Monitor outbound connections from the OBIEE server for unexpected external requests
4. Long-term Prevention:
- Establish a regular patch management schedule for Oracle products
- Subscribe to Oracle security advisories to stay informed of new vulnerabilities