[VulnWatch] Integrigy Security Advisory - Oracle Applications FNDFS Vulnerability

From: Integrigy Security Alerts (alerts@integrigy.com)
Date: 04/11/03

  • Next message: Dennis Rand: "[VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version 5"
    From: "Integrigy Security Alerts" <alerts@integrigy.com>
    To: <vulnwatch@vulnwatch.org>
    Date: Thu, 10 Apr 2003 22:35:12 -0500
    
    

    Integrigy Security Advisory
    ______________________________________________________________________

    Oracle E-Business Suite FNDFS Vulnerability
    April 10, 2003
    ______________________________________________________________________

    Summary:

    The Oracle Applications FNDFS program, used to retrieve report output from
    the Concurrent Manager server, can be used to remotely retrieve any file
    from the server without operating system or application authentication. A
    mandatory patch from Oracle is required to solve this security issue.

    Product: Oracle E-Business Suite
    Versions: 10.7, 11.0 and 11.5.1 - 11.5.8
    Platforms: All platforms
    Risk Level: High
    ______________________________________________________________________

    Description:

    There exists a weakness in the communications protocol used by the Oracle
    Applications FND File Server (FNDFS) program, also referred to as the Report
    Review Agent (RRA), that may allow an attacker to retrieve any file from
    Oracle Applications Concurrent Manager servers bypassing operating system,
    database, and application authentication. The Concurrent Manager server is
    usually also the database server in most implementations. The FNDFS program
    is used by the Report Viewer (FNDWRR.exe) and ADI Request Center to retrieve
    reports and logs from the Concurrent Manager server.

    An attacker can exploit this vulnerability to retrieve sensitive data or
    files containing critical passwords from the server. Any file accessible by
    the oracle or applmgr accounts can be retrieved. Direct access to the
    Concurrent Manager server via SQL*Net is required.

    Solution:

    Oracle has released patches for Oracle Applications 11.0 and 11i to correct
    this vulnerability. Oracle has implemented a new security layer in the
    communications protocol used by the FNDFS program.

    The following Oracle patches must be applied to all servers --

          Version Patch
          ------- -----
          11.0 2782950 (All Releases)
          11i 2782945 (11.5.1 - 11.5.8)

    Application Desktop Integrator (ADI) users must also apply patch 2778660 to
    allow ADI clients to connect to the new FNDFS program.

    Appropriate testing and backups should be performed before applying any
    patches.

    All firewalls should block or filter the SQL*Net protocol, not permitting
    any SQL*Net access to the Concurrent Manager or database servers from the
    Internet or unsecured networks. Please note that the FNDFS program does not
    run on the standard Oracle SQL*Net port 1521, thus multiple SQL*Net ports
    must be blocked or filtered.

    Security for the FNDFS TNS Listener should be evaluated and include a
    password on the listener and connection limitations to only allow the
    application servers access to the listener. Customers running ADI may not
    be able to limit access to the listener, since ADI's Request Center requires
    direct access to the listener from the client. Additional information on
    security for Oracle TNS listeners can be found at:

      http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf

    Additional Information:

      http://www.integrigy.com/resources.htm
      http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf

    For more information or questions regarding this security alert, please
    contact us at alerts@integrigy.com.

    Credit:

    This vulnerability was discovered by Stephen Kost of Integrigy Corporation.
    Integrigy is a member of the Oracle PartnerNetwork.
    _____________________________________________________________________

    About Integrigy Corporation (www.integrigy.com)

    Integrigy Corporation is a leader in application security for large
    enterprise, mission critical applications. Our application vulnerability
    assessment tool, AppSentry, assists companies in securing their largest and
    most important applications. Integrigy Consulting offers security assessment
    services for leading ERP and CRM applications.

    For more information, visit www.integrigy.com.


  • Next message: Dennis Rand: "[VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version 5"

    Relevant Pages