CVE-2017-10163 in Business Intelligence Enterprise Edition
Summary
by MITRE
Vulnerability in the Oracle Business Intelligence Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Analytics Web General). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0 and 12.2.1.2.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. Note: Please refer to Doc ID My Oracle Support Note 2310021.1 for instructions on how to address this issue. CVSS 3.0 Base Score 6.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/17/2021
The vulnerability identified as CVE-2017-10163 resides within Oracle Business Intelligence Enterprise Edition component of Oracle Fusion Middleware, specifically within the Analytics Web General subcomponent. This flaw affects multiple version lines including 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, and 12.2.1.2.0, representing a significant attack surface across Oracle's business intelligence platform. The vulnerability is categorized as easily exploitable, indicating that attackers with minimal technical expertise can leverage this weakness to compromise the target system. The attack vector requires network access via HTTP, making it accessible to remote threat actors without requiring physical presence or specialized equipment.
The technical nature of this vulnerability stems from insufficient access controls within the analytics web interface, allowing low privileged attackers to perform unauthorized operations against the business intelligence platform. The CVSS 3.0 scoring of 6.3 reflects the moderate severity of the issue, with specific impact metrics showing low confidentiality impact, high integrity impact, and no availability impact. This scoring indicates that while the attacker cannot directly disrupt system availability, they can modify or delete critical data within the platform. The vulnerability requires human interaction from users other than the attacker, suggesting that social engineering or phishing techniques might be necessary to initiate the attack, though this does not reduce the overall threat level.
The operational impact of this vulnerability extends beyond simple data compromise, as successful exploitation can result in unauthorized creation, deletion, or modification of critical business intelligence data. Additionally, attackers can gain unauthorized read access to sensitive data subsets within the Oracle Business Intelligence Enterprise Edition environment. This represents a significant risk for organizations relying on business intelligence for strategic decision making, as the integrity and confidentiality of their analytical data could be compromised. The attack scenario typically involves an attacker leveraging the vulnerability through HTTP connections, potentially gaining access to business reports, dashboards, and underlying data sources that would normally be protected by proper access controls.
Organizations affected by this vulnerability should implement immediate mitigation strategies as outlined in Oracle Support Document ID 2310021.1, which provides specific guidance for addressing the issue. The recommended approach includes applying the appropriate Oracle patches and security updates to remediate the access control weaknesses. Network segmentation and firewall rules should be reviewed to limit unnecessary HTTP access to the business intelligence platform. Additionally, organizations should implement enhanced monitoring and logging of web application activities to detect potential exploitation attempts. From a cybersecurity framework perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and maps to ATT&CK technique T1078 (Valid Accounts) and T1566 (Phishing) as potential attack vectors. Regular security assessments and vulnerability scanning should be conducted to identify similar access control weaknesses in other Oracle Fusion Middleware components, ensuring comprehensive protection of enterprise business intelligence systems against unauthorized access and data manipulation threats.