Onapsis Security Advisory - The Oracle Virtual Server Agent suffers from an arbitrary file access vulnerability. By exploiting this vulnerability, an authenticated attacker would be able to remotely compromise the OVS server, together with all the virtual machines configured on it. This would result in the compromise of integrity, availability and confidentiality of every virtual machine deployed in the OVS server.
d031200543b4d11ba73fe8cdf870bdda3a8d6e288280d3b250bea767e3fe6228
This Metasploit module exploits a command injection flaw within Oracle\\'s VM Server Virtual Server Agent (ovs-agent) service. By including shell meta characters within the second parameter to the 'utl_test_url' XML-RPC methodCall, an attacker can execute arbitrary commands. The service typically runs with root privileges. NOTE: Valid credentials are required to trigger this vulnerable. The username appears to be hardcoded as 'oracle', but the password is set by the administrator at installation time.
a344bd54fa4c477119c5044e88885c1a910d29d6cdf06faf3ada865aec5793cd