PT-2013-21: XML External Entities Injection in Oracle Database Vulnerable softwareOracle Database Version: 11.1.0.7, 11.2.0.2, 11.2.0.3, 12.1.0.1Link: http://www.oracle.com/Severity levelSeverity level: Medium Impact: Internal Network Resources Access, Denial of Service Access Vector: Remote CVSS v2: Base Score: 6.4 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)CVE: CVE-2013-5771Software descriptionThe Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is an object-relational database management system produced and marketed by Oracle Corporation. Vulnerability descriptionThe specialists of the Positive Research center have detected an XML External Entities Injection vulnerability in Oracle Database.If an attacker sends specially crafted SQL query containing malformed XML to Oracle Database server, the server will automatically send the contents of remote resources to the attacker's server. This vulnerability also allows remote attackers to perform denial of service attacks.How to fixUpdate your software up to the latest versionAdvisory status26.02.2013 - Vendor gets vulnerability details 15.10.2013 - Vendor releases fixed version and details 25.10.2013 - Public disclosureCreditsThe vulnerability was detected by Timur Yunusov, Alexey Osipov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2013-21 http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/