SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Issue multiple certificates with Thawte SPKI
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Database)  >  Oracle E-Business Suite Vendors:  Oracle
Oracle E-Business Suite Report Review Agent Discloses Files to Remote Users
SecurityTracker Alert ID:  1006550
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 11 2003
Original Entry Date:  Apr 11 2003
Impact:  Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): Oracle E-Business Suite 11i, Releases 1 through 8; Oracle Applications 11.0, All Releases; Oracle Applications 10.7, All Releases
Description:  Integrigy Corporation reported a vulnerability in the Oracle E-Business Suite in the Report Review Agent (RRA), also known as the FND File Server (FNDFS). A remote user may be able to gain access to various applications and system files.

It is reported that a remote user can spoof requests sent to the TNS Listener port to gain access to files on the system.

According to Integrigy, a flaw in the communications protocol used by the Oracle Applications FNDFS program allows a remote user to bypass operating system, database, and application authentication mechanisms to retrieve arbitrary files from Oracle Applications Concurrent Manager servers. Files that are readable by the 'oracle' or 'applmgr' accounts can reportedly be accessed, including files that contain passwords. The Concurrent Manager server is typically also the database server in many implementations, Integrigy reports.

In Oracle Applications 10.7 and Oracle Applications 11.0, the affected service is only installed on the Concurrent Processing node. In Oracle E-Business Suite 11i, the affected service is installed on all Application Tiers, according to the Oracle security advisory.

Oracle credits Stephen Kost of Integrigy Corporation with reporting this flaw. [Editor's note: The Integrigy advisory will be posted shortly -- see the Message History.]
Impact:  A remote user can gain access to files on the target server that are readable by the 'oracle' or 'applmgr' accounts, including files that contain passwords.
Solution:  A patch is available. Oracle indicates that users of Applications Desktop Integrator (ADI) must also apply an additional patch (#2778660).

See the README.txt file in the patch for patch instructions.

The patch is available for:

Oracle E-Business Suite 11i, Releases 1 through 8
Oracle Application 11.0, All Releases

The patch is available at:

http://metalink.oracle.com

See the vendor's alert for instructions on how to locate the patch and for a patch matrix.
Vendor URL:  otn.oracle.com/deploy/security/pdf/2003alert53.pdf (Links to External Site)
Cause:  Authentication error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 11 2003 (Integrigy Releases Advisory With More Details) Re: Oracle E-Business Suite Report Review Agent Discloses Files to Remote Users   (Integrigy Security Alerts <alerts@integrigy.com>)
Integrigy has released their advisory, which provides more details than were available in the Oracle alert.


 Source Message Contents
Date:  Thu, 10 Apr 2003 22:05:47 -0400
Subject:  Report Review Agent (RRA/FNDFS) Vulnerability in Oracle E-Business

 

http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf

Oracle issued a security alert warning of a flaw in the Oracle 
E-Business Suite in the Report Review Agent (RRA), also know as the FND 
File Server (FNDFS).

A remote user can spoof requests sent to the TNS Listener port to gain 
access to applications and operating system files.

The following versions are affected:

• Oracle E-Business Suite 11i, Releases 1 through 8
• Oracle Applications 11.0, All Releases
• Oracle Applications 10.7, All Releases


In Oracle Applications 10.7 and Oracle Applications 11.0, the affected 
service is only installed on the Concurrent Processing node.  In Oracle 
E-Business Suite 11i, the affected service is installed on all 
Application Tiers, according to the advisory.

A patch is available.  Oracle indicates that users of Applications 
Desktop Integrator (ADI) must also apply an additional patch (#2778660).

See the README.txt file in the patch for patch instructions.

The patch is available for:

• Oracle E-Business Suite 11i, Releases 1 through 8
• Oracle Application 11.0, All Releases

The patch is available at:

http://metalink.oracle.com

See the vendor's alert for instructions on how to locate the patch.


-----

Oracle Security Alert 53
Dated: 10 April 2003
Severity: 2


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC