SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle E-Business Suite Vendors:   Oracle
Oracle E-Business Suite Report Review Agent Discloses Files to Remote Users
SecurityTracker Alert ID:  1006550
SecurityTracker URL:  http://securitytracker.com/id/1006550
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 11 2003
Original Entry Date:  Apr 11 2003
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Oracle E-Business Suite 11i, Releases 1 through 8; Oracle Applications 11.0, All Releases; Oracle Applications 10.7, All Releases
Description:   Integrigy Corporation reported a vulnerability in the Oracle E-Business Suite in the Report Review Agent (RRA), also known as the FND File Server (FNDFS). A remote user may be able to gain access to various applications and system files.

It is reported that a remote user can spoof requests sent to the TNS Listener port to gain access to files on the system.

According to Integrigy, a flaw in the communications protocol used by the Oracle Applications FNDFS program allows a remote user to bypass operating system, database, and application authentication mechanisms to retrieve arbitrary files from Oracle Applications Concurrent Manager servers. Files that are readable by the 'oracle' or 'applmgr' accounts can reportedly be accessed, including files that contain passwords. The Concurrent Manager server is typically also the database server in many implementations, Integrigy reports.

In Oracle Applications 10.7 and Oracle Applications 11.0, the affected service is only installed on the Concurrent Processing node. In Oracle E-Business Suite 11i, the affected service is installed on all Application Tiers, according to the Oracle security advisory.

Oracle credits Stephen Kost of Integrigy Corporation with reporting this flaw. [Editor's note: The Integrigy advisory will be posted shortly -- see the Message History.]

Impact:   A remote user can gain access to files on the target server that are readable by the 'oracle' or 'applmgr' accounts, including files that contain passwords.
Solution:   A patch is available. Oracle indicates that users of Applications Desktop Integrator (ADI) must also apply an additional patch (#2778660).

See the README.txt file in the patch for patch instructions.

The patch is available for:

Oracle E-Business Suite 11i, Releases 1 through 8
Oracle Application 11.0, All Releases

The patch is available at:

http://metalink.oracle.com

See the vendor's alert for instructions on how to locate the patch and for a patch matrix.

Vendor URL:  otn.oracle.com/deploy/security/pdf/2003alert53.pdf (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Integrigy Releases Advisory With More Details) Re: Oracle E-Business Suite Report Review Agent Discloses Files to Remote Users
Integrigy has released their advisory, which provides more details than were available in the Oracle alert.



 Source Message Contents

Subject:  Report Review Agent (RRA/FNDFS) Vulnerability in Oracle E-Business


http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf

Oracle issued a security alert warning of a flaw in the Oracle 
E-Business Suite in the Report Review Agent (RRA), also know as the FND 
File Server (FNDFS).

A remote user can spoof requests sent to the TNS Listener port to gain 
access to applications and operating system files.

The following versions are affected:



In Oracle Applications 10.7 and Oracle Applications 11.0, the affected 
service is only installed on the Concurrent Processing node.  In Oracle 
E-Business Suite 11i, the affected service is installed on all 
Application Tiers, according to the advisory.

A patch is available.  Oracle indicates that users of Applications 
Desktop Integrator (ADI) must also apply an additional patch (#2778660).

See the README.txt file in the patch for patch instructions.

The patch is available for:


The patch is available at:

http://metalink.oracle.com

See the vendor's alert for instructions on how to locate the patch.


-----

Oracle Security Alert 53
Dated: 10 April 2003
Severity: 2



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC