Oracle Business Intelligence ReportTemplateService XXE CVE-2019-2616
Description
The ReportTemplateService component in Oracle Business Intelligence Enterprise Edition (OBIEE) contains an XML External Entity (XXE) injection vulnerability tracked as CVE-2019-2616. This flaw occurs when the service improperly processes XML input, allowing attackers to reference external entities. Unauthenticated remote attackers can exploit this vulnerability by sending specially crafted XML requests to the affected service, potentially leading to unauthorized information disclosure, server-side request forgery (SSRF), or denial of service conditions.
Remediation
Take the following steps to remediate this vulnerability:
1. Apply Security Patches (Primary Solution):
Immediately upgrade Oracle Business Intelligence Enterprise Edition to a version that includes the fixes from Oracle Critical Patch Update (CPU) April 2019 or later. Consult Oracle's patch advisory for specific version numbers and installation instructions applicable to your deployment.
2. Disable External Entity Processing (Interim Mitigation):
If immediate patching is not possible, configure XML parsers to disable external entity processing. For Java-based XML parsers commonly used in Oracle products, apply the following configurations:
// Disable DTDs and external entities
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);3. Network Segmentation:
Restrict network access to the ReportTemplateService to only trusted sources using firewall rules or network access controls.
4. Verification:
After applying patches, verify the fix by testing that the service properly rejects XML documents containing external entity references.