Oracle Fusion Middleware contains a flaw related to the 'Services for Beehive' component. The issue is triggered when a remote attacker passes input via an evaluation parameter to voice-servlet/prompt-qa/Index.jspf. The program does not properly sanitise this input before using it to create a file. This may allow a remote attacker to execute arbitrary JSP code by creating a file with a NULL byte within the filename.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability.

• Security Tracker: 1024981
• CVE ID: 2010-4417 (see also: NVD)
• Secunia Advisory ID: 42978
• Bugtraq ID: 45854
• VUPEN Advisory: ADV-2011-0143
• News Article: http://www.computerworld.com/s/article/9205121/Oracle_plans_to_release_66_patches_on_Tuesday
• Vendor Specific News/Changelog Entry: http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
• Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-11-020/

• 1c239c43f521145fa8385d64a9c32243 - Zero Day Initiative (ZDI)