Anatomy of a Responsible Disclosure – Zero Day Vulnerability in Oracle BI Publisher

Title of Technical Briefing: Anatomy of a Responsible Disclosure – Zero Day Vulnerability in Oracle BI Publisher

Description: Oracle Business Intelligence (BI) Publisher is a reporting tool to manage and deliver reports. It can be integrated with various data sources like Oracle DB, Oracle BI, SQL server, PeopleSoft, Siebel, web services etc. to generate flexible reports in different layout types like Word, Excel, PDF etc.Oracle BI Publisher Enterprise 10.1.3.4.2 was vulnerable to a Zero Day Cross-Site Request Forgery (CSRF) security flaw whereby the attacker could force the authenticated user to perform malicious actions of interest to the attacker. In this case a successful exploitation of the administrator account could lead to malicious adding/deletion of users, malicious configuration for report delivery etc. This module being a reporting tool a successful exploitation of the CSRF vulnerability could severely affect the confidentiality, integrity and availability of data. Oracle had been very cooperative in acknowledging and addressing this issue. A patch for this vulnerability was released as part of their Critical Patch Update (CPU) on April 17 2012.

Speaker: Vishal Kalro

Information Security Professional with close to 6 years of experience in Information Security domain. Vishal holds a Master’s degree in Telecommunication from RMIT University, Melbourne Australia and a Bachelor’s degree in Electronics Engineering from Mumbai University. He is a CISSP, CISA, PCI-DSS ISA, and CCSK. As an active contributor to ClubHack he has authored articles on Cloud Computing, Social Engineering, Wireless Security and Measuring WAN Performance.

Vishal is an enthusiastic traveler and tries to make a good use of his time exploring new places and trying local cuisine. He enjoys Badminton and runs to keep himself fit.