MarkLogic Corporation Information for VU#520721

Oracle Outside In contains exploitable vulnerabilities in Lotus 123 and Microsoft CAB file parsers



Vendor Statement

MarkLogic Corporation acknowledges CERT Vulnerability Notes VU#103425 and
VU#520721 and confirms that an affected version of Oracle Outside In is bundled
and shipped with MarkLogic Server versions 4.0, 4.1 and 4.2.  Outside In file
conversion is a keyed option in MarkLogic Server.  The Outside In converters
cannot be accessed from within the MarkLogic Server programming environment
without an installed license key that enables the Outside In conversion
option.  The Outside In conversion option for MarkLogic Server has not been
advertised and circulation is highly restricted.  Therefore, the security risk
imposed by the bundled Outside In utility on the MarkLogic user community is
extremely limited.

Regardless, the affected Outside In libraries have been removed from MarkLogic
Server 4.1 (4.1-11) and 4.2 (4.2-6) and will be absent in all future
maintenance releases for those codelines.  Further, Outside In will be removed
entirely from upcoming MarkLogic Server version 5.0.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References



If you have feedback, comments, or additional information about this vulnerability, please send us email.