Security Focus – April 2020 (Oracle security alert – cve-2020-2959)

Preface: Perhaps you have similar feeling, everytime when you read the cyber security announcement by Oracle. The first impression is that it has too many. Read into details, some items let you know the remediation process is in long run!

Vulnerability detail: An unspecified vulnerability in the Analystics Web General component of Oracle BI Published. An easily exploitable vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. A successful attacks of this vulnerability can result in takeover of Oracle Business Intelligence Enterprise Edition. (CVE-2020-2950)

Observation: Since the official announcement did not describe the detail. So we do the analytic. The online Catalog Manager might fail to connect to Oracle BI Presentation Services when the HTTP web server for Oracle Business Intelligence is enabled for SSO. When you enable SSO, the Oracle Business Intelligence URL becomes protected, and you must point the online Catalog Manager to the URL instead. The URL should remain unprotected. It is configured only to accept SOAP access as used by Oracle BI Publisher, Oracle BI Add-in for Microsoft Office, and the online Catalog Manager.

Potential risk or vulnerability – Session replays are specifically against websites and other systems that generate and store sessions.

Official announcement –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.