CVE-2014-6577

Name of the Vulnerable Software and Affected Versions Oracle Database Server versions 11.2.0.3 through 11.2.0.4 Oracle Database Server versions 12.1.0.1 through 12.1.0.2

Description The issue affects confidentiality and can be exploited by remote authenticated users via unknown vectors. It is claimed to be an XML external entity (XXE) vulnerability in the XML parser, which could allow attackers to conduct internal port scanning, perform Server-Side Request Forgery (SSRF) attacks, or cause a denial of service via a crafted URI, such as http: or ftp:.

Recommendations For Oracle Database Server versions 11.2.0.3 and 11.2.0.4, update to a version that includes the January 2015 CPU fixes. For Oracle Database Server versions 12.1.0.1 and 12.1.0.2, update to a version that includes the January 2015 CPU fixes. As a temporary workaround, consider restricting access to the XML parser to minimize the risk of exploitation.