[NEWS] Oracle E-Business Suite AOL/J Setup Test Information Disclosure

From: SecuriTeam (support_at_securiteam.com)
Date: 07/28/03

  • Next message: SecuriTeam: "[TOOL] NetScan / MobilePenTester / PDAZap (Mobile Security Assesments)" 
    To: list@securiteam.com
Date: 28 Jul 2003 15:53:34 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Get Thawte's New Step-by-Step SSL Guide for Apache.
    http://ad.doubleclick.net/clk;5903117;8265118;i

    - - - - - - - - -

      Oracle E-Business Suite AOL/J Setup Test Information Disclosure
    ------------------------------------------------------------------------

    SUMMARY

    The Oracle Applications AOL/J Setup Test Suite, used to trouble-shoot the
    Self-Service framework, can be exploited to remotely retrieve sensitive
    configuration and host information without application authentication. The
    AOL/J Setup Test Suite is installed by default for all 11i
    implementations. A mandatory patch from Oracle is required to solve this
    security issue.

    DETAILS

    Vulnerable Systems:
     * Oracle E-Business Suite 11.5.1 - 11.5.8

    The Oracle Applications Self-Service Framework (OA Framework) is the
    foundation for self-service HRMS, iProcurement, iExpenses, and other web
    applications. The OA Framework includes a Test Suite used to verify its
    installation and configuration. The AOL/J Setup Test Suite is implemented
    as Java Server Pages (JSP) and the main JSP page is "aoljtest.jsp". The
    AOL/J Setup Test Suite is installed for all 11i web and forms servers in
    the $COMMON_TOP/html/jsp/fnd directory.

    Multiple vulnerabilities exist in the AOL/J Setup Test Suite allowing an
    attacker to obtain valuable information on the configuration of Oracle
    Applications without any database or application authentication. This
    information includes the GUEST user password and application server
    security key.

    Solution:
    Oracle has released a patch for the Oracle E-Business Suite 11i to correct
    this vulnerability. Oracle has corrected multiple vulnerabilities in the
    AOL/J Setup Test Suite JSPs.

    The following Oracle patch must be applied --
          Version Patch
          ------- -----
          11i 2939083 (11.5.1 - 11.5.8)

    Oracle Applications customers should consider this vulnerability low risk
    and apply the above patch during the next normal maintenance cycle.
    Customers with Internet facing application servers should apply the patch
    immediately or consider removing or restricting access to the AOL/J Setup
    Test Suite. In addition, the GUEST user account should be checked to
    ensure that it has only publicly accessible responsibilities assigned to
    it.

    Appropriate testing and backups should be performed before applying any
    patches.

    ADDITIONAL INFORMATION

    The information was provided by <mailto:alerts@integrigy.com> Stephen
    Kost of Integrigy Corporation

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] NetScan / MobilePenTester / PDAZap (Mobile Security Assesments)"

    Relevant Pages