Oracle AutoVue Office Desktop API Issue

July 6, 2012

Oracle's AutoVue solutions are designed to meet all of an organization's document visualization requirements. They can serve as the window for visualization across all enterprise applications and can even meet the basic viewing needs of individual desktops. AutoVue includes tools for Electronic Design Automation (EDA), a category of software tools for designing electronic systems such as printed circuit boards (PCB) and integrated circuits.

Oracle's AutoVue solutions have multiple products, including but not limited to AutoVue 3D Professional Advanced, AutoVue Office, AutoVue Integrations, AutoVue EDA Professional etc. Oracle's AutoVue Office delivers native document viewing and digital annotation capabilities for Microsoft Office, portable document format (PDF), and graphic document types. Users can view, print, review, and collaborate on hundreds of digital documents without requiring the authoring applications that were used to create them.

A critical vulnerability has been found in Oracle's AutoVue Office product. The vulnerability can be exploited over the 'HTTP' protocol, and it allows remote attackers to affect confidentiality, integrity, and availability, related to Desktop API. It affects the Oracle AutoVue version 20.0.2.

Dell SonicWALL UTM team has researched this vulnerability and will release the following IPS signature to detect it.

  • 8107 Oracle AutoVue Office Desktop API Component Issue

The following generic IPS signatures can also provide protection addressing this issue.

  • 3756 HTTP Client Shellcode Exploit 19a
  • 4095 Client Application Shellcode Exploit 7
  • 4297 Client Application Shellcode Exploit 1
  • 6395 Client Application Shellcode Exploit 23

This vulnerability has been referred by CVE as CVE-2012-0549.