linux, säkerhet

108245 2003-07-24 20:08 /86 rader/ Integrigy Security Alerts <alerts@integrigy.com>
Importerad: 2003-07-24 20:08 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5711>
Ärende: Integrigy Security Alert - Oracle E-Business Suite AOL/J Setup Test Information Disclosure
------------------------------------------------------------

Integrigy Security Alert
______________________________________________________________________

Oracle E-Business Suite AOL/J Setup Test Information Disclosure
July 23, 2003
______________________________________________________________________

Summary:

The Oracle Applications AOL/J Setup Test Suite, used to trouble-shoot
the Self-Service framework, can be exploited to remotely retrieve
sensitive configuration and host information without application
authentication. The AOL/J Setup Test Suite is installed by default
for all 11i implementations. A mandatory patch from Oracle is
required to solve this security issue.

Product: Oracle E-Business Suite
Versions: 11.5.1 - 11.5.8
Platforms: All platforms
Risk Level: Low
_____________________________________________________________________

Description:

The Oracle Applications Self-Service Framework (OA Framework) is the
foundation for self-service HRMS, iProcurement, iExpenses, and other
web applications. The OA Framework includes a Test Suite used to
verify its installation and configuration. The AOL/J Setup Test
Suite is implemented as Java Server Pages (JSP) and the main JSP page
is "aoljtest.jsp". The AOL/J Setup Test Suite is installed for all
11i web and forms servers in the $COMMON_TOP/html/jsp/fnd directory.

Multiple vulnerabilities exist in the AOL/J Setup Test Suite allowing an
attacker to obtain valuable information on the configuration of
Oracle Applications without any database or application
authentication. This information includes the GUEST user password
and application server security key.

Solution:

Oracle has released a patch for the Oracle E-Business Suite 11i to
correct this vulnerability. Oracle has corrected multiple
vulnerabilities in the AOL/J Setup Test Suite JSPs.

The following Oracle patch must be applied --

Version Patch
------- -----
11i 2939083 (11.5.1 - 11.5.8)

Oracle Applications customers should consider this vulnerability low
risk and apply the above patch during the next normal maintenance
cycle. Customers with Internet facing application servers should
apply the patch immediately or consider removing or restricting
access to the AOL/J Setup Test Suite. In addition, the GUEST user
account should be checked to ensure that it has only publicly
accessible responsibilities assigned to it.

Appropriate testing and backups should be performed before applying
any patches.

Additional Information:

http://www.integrigy.com/resources.htm
http://otn.oracle.com/deploy/security/pdf/2003alert55.pdf

For more information or questions regarding this security alert,
please contact us at alerts@integrigy.com.

Credit:

This vulnerability was discovered by Stephen Kost of Integrigy
Corporation.
______________________________________________________________________

About Integrigy Corporation (www.integrigy.com)

Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application
vulnerability assessment tool, AppSentry, assists companies in
securing their largest and most important applications. Integrigy
Consulting offers security assessment services for leading ERP and
CRM applications.

For more information, visit www.integrigy.com.
(108245) /Integrigy Security Alerts <alerts@integrigy.com>/(Ombruten)