Vulnerability discovered in Oracle Business Intelligence Enterprise Edition

mnemonic discovers a denial of service vulnerability in Oracle’s Business Intelligence platform

Tor E. Bjørstad has been credited by Oracle for reporting CVE-2017-10060, which is a denial of service vulnerability in Oracle Business Intelligence Enterprise Edition (OBIEE), part of Oracle Fusion Middleware.

The vulnerability was reported to Oracle in mid-July, and is being fixed as part of Oracle’s quarterly Critical Patch Update for October.

CVE-2017-10060

An application user can cause resource exhaustion by sending a specially crafted request to the OBIEE server. This leads to an immediate application-layer denial of service condition.

CVSSv3 Base Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H)

mnemonic recommends that companies using OBIEE apply the new patch in order to mitigate the vulnerability. The vulnerability affects OBIEE versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, and 12.2.1.2.0.

For more information, see: Oracle Critical Patch Update Advisory - October 2017: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html