Security Advisory
Privilege escalation in Oracle Identity Analytics
By exploiting IDOR vulnerabilities, a low privileged adversary can gain access to datasets from other accounts.
Advisory ID: MLSA-2018-001
CVE: CVE-2018-3168
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Severity: high
Affected versions: ≤ 11.1.1.5.8
Fixed versions: > 11.1.1.5.8
Discovered by: Hans-Martin Münch
CVE: CVE-2018-3168
CVSS: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Severity: high
Affected versions: ≤ 11.1.1.5.8
Fixed versions: > 11.1.1.5.8
Discovered by: Hans-Martin Münch
Product description
Oracle Identity Analytics provides enterprises with the ability to define and manage roles and automate critical identity-based controls. Once roles are defined, certified, and assigned, the software continues to deliver scalable and sustainable identity governance.
Details
Oracle Identity Analytics uses Direct Web Remoting (DWR) to implement Remote Procedure Calls from the Web Interface. The methods that can be accessed using DWR don’t validate if the current user has access to the objects referenced by the provided IDs. This can be abused to access to gain access to data from other users.
Coordinated Disclosure Timeline
- xx/xx/2018 Report to Oracle
- 16/10/2018 Release of Oracle Critical Patch Update.