(Vendor Releases Fix) Re: Oracle's Application Desktop Integrator that Ships with Oracle's Financial Applications Gives Local Users Access to Database Passwords
SecurityTracker Alert ID: 1001594|
SecurityTracker URL: http://securitytracker.com/id/1001594
(Links to External Site)
Date: May 23 2001
Disclosure of authentication information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): $link$; Any Oracle E-Business Suite Release 11i installation may be affected by this vulnerability, even if the ADI product is not being used.|
It is reported that a specific version of Oracle's Application Desktop Integrator that ships with Oracle's Financial Applications contains a security vulnerability that allows local users to obtain database passwords.|
It is reported that when the software is launched, it creates a file called dbg.txt on the host's local hard drive that contains the usernames and passwords for both the application user and the APPS schema in plain text.
It is reported that all access to the database for the financial applications is performed using the APPS schema. As a result, the APPS schema has full control of all the tables within the database.
The problem is apparantly related to some code in fndpub11i.dll that was delivered with the 184.108.40.206.1 version.
The vendor has reportedly been notified.
A local user can obtain usernames and passwords for the application user and the APPS schema. With the password for the APPS schema, the user can obtain full control of the database tables.|
The vendor has provided a fix. See the Source Message for details on the how to obtain and apply the patch.|
Vendor URL: www.oracle.com/ (Links to External Site)
Access control error|
|Underlying OS: Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Vulnerability in Oracle E-Business Suite Release 11i Applications|
Post date: 05/22/01
Vulnerability in Oracle E-Business Suite Release 11i Applications
A potential security vulnerability has been discovered in Applications
Desktop Integrator (ADI) version 7.X for Oracle E-Business Suite Release
11i. A debug version of the FNDPUB11I.DLL was inadvertently released
with a patch to Applications Desktop Integrator (ADI) version 7.X. This
DLL writes a debug file to the client machine that includes the clear
text APPS schema password. A malicious user could use this DLL to obtain
the APPS schema password and thereby gain elevated privileges.
Any Oracle E-Business Suite Release 11i installation may be affected by
this vulnerability, even if the ADI product is not being used.
The debug version of FNDPUB11I.DLL has been replaced with a production
version. In addition, a patch is available that introduces an enhanced
security feature, Application Server Security, to prevent the debug DLL
from connecting to the database. The complete solution to this
vulnerability requires both replacement of the debug version DLL and
implementation of the Application Server Security patch. The patches for
this vulnerability can be downloaded from the Oracle Worldwide Support
Services web site, Metalink (http://metalink.oracle.com). Press the
"Patches" button to get to the Patch Download page.
Click on the link labeled "Click Here for ALL Product Patches". Enter
the patch number, select a platform, then press Submit to access the
correct patch for your platform.
To obtain the full Application Server Security patch, download patch
1779336. The patch includes:
- Application Server Security feature
- Trusted implementations of middle-tier connection code
If you do not wish to upgrade your middle-tier application servers at
this time, a database-only version for the patch is also available as
Patch Number 1785034. This patch contains only the Application Server
Security feature. As a result of applying this patch, application
servers with old connection code will need to be registered as trusted
servers before they can access the database. See the README.TXT files
associated with the patch for further instructions.
Apply the Application Server Security patch and turn server security
'ON'. The old versions of ADI will no longer be able to connect. New
versions of ADI are available which contain a trusted implementation of
the FNDPUB11I.DLL connection code. A new version of ADI will be required
to connect to a database which has Application Server Security enabled.
Obtain the correct ADI patch for your current version:
ADI Version Patch
After turning on Application Server Security, it is strongly recommended
that the APPS schema password be changed.
Oracle Corporation wishes to thank Melanie Abbas for discovering this