JVNDB-2013-000070

[Japanese]
JVNDB-2013-000070
Oracle Outside In vulnerable to buffer overflow
Overview
Oracle Outside In is a library to decode over 500 file types. Oracle Outside In contains a buffer overflow vulnerability. Takahiro Haruyama of Internet Initiative Japan Inc. reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V2 Severity: Base Metrics 7.5 (High) [IPA Score] Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
Affected Products

IBM Corporation IBM WebSphere Portal 6.0.0 IBM WebSphere Portal 6.0.1 IBM WebSphere Portal 6.1.0 IBM WebSphere Portal 6.1.5 IBM WebSphere Portal 7 IBM WebSphere Portal 8 Oracle Corporation Oracle Fusion Middleware Oracle Outside In 8.3.7 and earlier Microsoft Corporation Microsoft Exchange Server 2007 SP3 Microsoft Exchange Server 2010 SP2 and SP3 Microsoft Exchange Server 2013 Cumulative Update 1 Microsoft Exchange Server 2013 Cumulative Update 2
Please refer to 1660640 provided by IBM for more details about IBM WebSphere Portal.
Impact
When Oracle Outside In processes a specially crafted Ichitaro Word Processor file, arbitrary code may be executed.
Solution
[Apply an update] Update to the latest version according to the information provided by the developer.
Vendor Information
IBM Corporation IBM Support Document : 1660640 Oracle Corporation Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2013 Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices SECURITY BLOG : July 2013 Critical Patch Update Released Microsoft Corporation Microsoft Security Bulletin : MS13-061 Microsoft Support : MS13-061: Vulnerabilities in Microsoft Exchange Server could allow remote code execution: August 13, 2013 Microsoft Support : Update 2874216 breaks the content index in Exchange Server 2013 FUJITSU FUJITSU Security Information : TA13-225A (in Japanese)
CWE (What is CWE?)
Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)
CVE-2013-3781
References
JVN : JVN#07497769 JVN : JVNTA13-225A (in Japanese) National Vulnerability Database (NVD) : CVE-2013-3781 IPA SECURITY ALERTS : Security Updates Available for Oracle Outside In (JVN#07497769) (in Japanese) IPA SECURITY ALERTS : Security Updates Available for Microsoft (August 2013) (in Japanese) JPCERT REPORT : JPCERT-AT-2013-0035 (in Japanese) @Police : Microsoft Security Bulletin for August 2013 (in Japanese) US-CERT Technical Cyber Security Alert : TA13-225
Revision History
[2013/07/17] Web page was published [2013/08/23] Affected Products : Products were added Vendor Information : Contents were added References : Contents were added [2013/08/28] Vendor Information : Contents were added [2014/02/24] Affected Products : Products were added Vendor Information : Contents were added


Date Public	2013/07/17
Date First Published	2013/07/17
Date Last Updated	2014/02/24

Oracle Outside In vulnerable to buffer overflow