Oracle Data Integrator Type Confusion Vulnerability

March 27, 2015

Oracle Data Integrator is a platform for maintaining the data consistency throughout the system. It provides the integration in situations like high-volume, high-performance batch loads, to event-driven, trickle-feed integration processes, to SOA-enabled data services.

Trillium Software System provides the third party software which is integrated in Oracle data Integrator. Oracle Data Integrator installs various ActiveX controls on target provided by Trillium Software System. An untrusted pointer dereference vulnerability exists in Oracle Data Integrator. The vulnerability is caused by a lack of validation on the value assigned to the parameter of the TSS12.LoaderWizard.lwctrl ActiveX control. Successful exploitation can lead to arbitrary code execution in the security context of the logged-in user. An unsuccessful attack may lead to abnormal termination of the browser.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 10824 Oracle DataPreview Type Confusion