CVE-2012-3152

What is Oracle Reports Developer?

Oracle Reports Developer (part of Oracle Fusion Middleware, also known as Oracle Reports Services) is an enterprise reporting tool that generates and publishes reports from Oracle databases and other data sources. It provides a web-based interface for running reports and is typically deployed in Oracle E-Business Suite and Oracle Database environments. The Oracle Reports Server component exposes HTTP endpoints that allow report execution and, in vulnerable versions, file operations — making it a target for unauthenticated attacks when internet-facing.

Overview

CVE-2012-3152 is a critical vulnerability in the Oracle Reports Developer component of Oracle Fusion Middleware. Despite Oracle's characteristically vague advisory language ("unspecified"), public security research established that the vulnerability involves unauthenticated file upload and file read capabilities exposed through the Oracle Reports web interface. An unauthenticated attacker can upload arbitrary files to the server (enabling webshell installation) or read arbitrary files from the server filesystem.

The CVSS score of 9.1 (no availability impact, but full confidentiality and integrity compromise) is consistent with file read/write primitives rather than direct code execution, though file upload enables subsequent code execution.

Oracle patched this in the October 2012 Critical Patch Update.

Affected Versions

Technical Details

Security researchers identified that the Oracle Reports Developer web interface exposed servlet endpoints that accepted file upload requests without authentication. The REPORTS_CACHESIZE servlet and the Oracle Reports CGI interface were among the components studied. In vulnerable configurations:

• File upload: Unauthenticated HTTP requests could upload files to directories accessible by the Oracle Reports server process — enabling installation of JSP webshells or other server-side code
• File read: Unauthenticated requests to certain endpoints could retrieve files from the server, exposing configuration files, Oracle database connection credentials, and other sensitive data

The CVSS A:N (no availability impact) reflects that the primary impact is read/write access to data rather than service disruption. However, file upload capability practically enables full system compromise when the web server can execute uploaded files.

Discovery

The specific technical details of CVE-2012-3152 were identified and published by security researchers prior to and around the October 2012 CPU release. Oracle's advisory follows their standard "unspecified vulnerability" format, with researchers providing the additional technical context.

Exploitation Context

CISA added this CVE to the KEV catalog in November 2021, confirming active exploitation in the wild. Oracle Fusion Middleware components hosting internet-accessible reporting interfaces were targeted by threat actors seeking file upload primitives for initial access into enterprise Oracle environments. Oracle Reports Developer exposures are commonly found in E-Business Suite deployments where administrators expose the reporting server for external business partner access.

Remediation

1. Apply the Oracle October 2012 CPU (or verify it was applied as part of normal CPU maintenance)
2. Maintain quarterly CPU patch currency — Oracle releases CPUs quarterly; track patch levels for all Fusion Middleware components
3. Restrict network access to Oracle Reports Developer — the Reports Server should not be directly accessible from the internet; place it behind a reverse proxy with authentication
4. Audit Oracle Reports Server endpoints for evidence of unauthorized file uploads (unexpected .jsp, .jspx, .war files in web-accessible directories)
5. Review Oracle Reports Server configuration to disable or restrict the file handling capabilities if reporting functionality does not require them
6. Monitor Oracle Reports Server access logs for anomalous requests to servlet endpoints not associated with normal report execution