SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Database)  >   Oracle E-Business Suite Vendors:   Oracle
(Integrigy Releases Advisory With More Details) Re: Oracle E-Business Suite Report Review Agent Discloses Files to Remote Users
SecurityTracker Alert ID:  1006552
SecurityTracker URL:  http://securitytracker.com/id/1006552
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 11 2003
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Oracle E-Business Suite 11i, Releases 1 through 8; Oracle Applications 11.0, All Releases; Oracle Applications 10.7, All Releases
Description:   Integrigy Corporation reported a vulnerability in the Oracle E-Business Suite in the Report Review Agent (RRA), also known as the FND File Server (FNDFS). A remote user may be able to gain access to various applications and system files.

It is reported that a remote user can spoof requests sent to the TNS Listener port to gain access to files on the system.

According to Integrigy, a flaw in the communications protocol used by the Oracle Applications FNDFS program allows a remote user to bypass operating system, database, and application authentication mechanisms to retrieve arbitrary files from Oracle Applications Concurrent Manager servers. Files that are readable by the 'oracle' or 'applmgr' accounts can reportedly be accessed, including files that contain passwords. The Concurrent Manager server is typically also the database server in many implementations, Integrigy reports.

In Oracle Applications 10.7 and Oracle Applications 11.0, the affected service is only installed on the Concurrent Processing node. In Oracle E-Business Suite 11i, the affected service is installed on all Application Tiers, according to the Oracle security advisory.

Integrigy advises that the FNDFS program does not use the standard Oracle SQL*Net port (1521).

The Integrigy advisory is available in the Source Message and at:

http://www.integrigy.com/alerts/FNDFS_Vulnerability.htm
Impact:   A remote user can gain access to files on the target server that are readable by the 'oracle' or 'applmgr' accounts, including files that contain passwords.
Solution:   A patch is available. Oracle indicates that users of Applications Desktop Integrator (ADI) must also apply an additional patch (#2778660).

See the README.txt file in the patch for patch instructions.

The patch is available for:

Oracle E-Business Suite 11i, Releases 1 through 8
Oracle Application 11.0, All Releases

The patch is available at:

http://metalink.oracle.com

See the vendor's alert for instructions on how to locate the patch and for a patch matrix.
Vendor URL:  otn.oracle.com/deploy/security/pdf/2003alert53.pdf (Links to External Site)
Cause:   Authentication error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   This archive entry is a follow-up to the message listed below.
Apr 11 2003 Oracle E-Business Suite Report Review Agent Discloses Files to Remote Users


 Source Message Contents
Date:  Thu, 10 Apr 2003 22:40:26 -0500
Subject:  Integrigy Security Advisory - Oracle Applications FNDFS Vulnerability



Integrigy Security Advisory
______________________________________________________________________

Oracle E-Business Suite FNDFS Vulnerability
April 10, 2003
______________________________________________________________________

Summary:

The Oracle Applications FNDFS program, used to retrieve report output from
the Concurrent Manager server, can be used to remotely retrieve any file
from the server without operating system or application authentication.  A
mandatory patch from Oracle is required to solve this security issue.

Product:    Oracle E-Business Suite
Versions:   10.7, 11.0 and 11.5.1 - 11.5.8
Platforms:  All platforms
Risk Level: High
______________________________________________________________________

Description:

There exists a weakness in the communications protocol used by the Oracle
Applications FND File Server (FNDFS) program, also referred to as the Report
Review Agent (RRA), that may allow an attacker to retrieve any file from
Oracle Applications Concurrent Manager servers bypassing operating system,
database, and application authentication.  The Concurrent Manager server is
usually also the database server in most implementations.  The FNDFS program
is used by the Report Viewer (FNDWRR.exe) and ADI Request Center to retrieve
reports and logs from the Concurrent Manager server.

An attacker can exploit this vulnerability to retrieve sensitive data or
files containing critical passwords from the server.  Any file accessible by
the oracle or applmgr accounts can be retrieved.  Direct access to the
Concurrent Manager server via SQL*Net is required.

Solution:

Oracle has released patches for Oracle Applications 11.0 and 11i to correct
this vulnerability.  Oracle has implemented a new security layer in the
communications protocol used by the FNDFS program.

The following Oracle patches must be applied to all servers --

       Version     Patch
       -------     -----
       11.0        2782950     (All Releases)
       11i         2782945     (11.5.1 - 11.5.8)

Application Desktop Integrator (ADI) users must also apply patch 2778660 to
allow ADI clients to connect to the new FNDFS program.

Appropriate testing and backups should be performed before applying any
patches.

All firewalls should block or filter the SQL*Net protocol, not permitting
any SQL*Net access to the Concurrent Manager or database servers from the
Internet or unsecured networks.  Please note that the FNDFS program does not
run on the standard Oracle SQL*Net port 1521, thus multiple SQL*Net ports
must be blocked or filtered.

Security for the FNDFS TNS Listener should be evaluated and include a
password on the listener and connection limitations to only allow the
application servers access to the listener.  Customers running ADI may not
be able to limit access to the listener, since ADI's Request Center requires
direct access to the listener from the client. Additional information on
security for Oracle TNS listeners can be found at:

   http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf

Additional Information:

   http://www.integrigy.com/resources.htm
   http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf

For more information or questions regarding this security alert, please
contact us at alerts@integrigy.com.

Credit:

This vulnerability was discovered by Integrigy Corporation.  Integrigy is a
member of the Oracle PartnerNetwork.
_____________________________________________________________________

About Integrigy Corporation (www.integrigy.com)

Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest and
most important applications. Integrigy Consulting offers security assessment
services for leading ERP and CRM applications.

For more information, visit www.integrigy.com.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC