[VulnWatch] Integrigy Security Alert - Oracle E-Business Suite AOL/J Setup Test Information Disclosure

From: Integrigy Security Alerts (alerts_at_integrigy.com)
Date: 07/24/03

  • Next message: Michal Zalewski: "[VulnWatch] Certain operating systems can be sometimes locally DoSed when running on particular types of hardware with certain versions of BIOS in specific multiboot configurations (and you thought XSS is too much?)"
    To: <vulnwatch@vulnwatch.org>
    Date: Thu, 24 Jul 2003 12:01:37 -0500
    
    

    Integrigy Security Alert
    ______________________________________________________________________

    Oracle E-Business Suite AOL/J Setup Test Information Disclosure
    July 23, 2003
    ______________________________________________________________________

    Summary:

    The Oracle Applications AOL/J Setup Test Suite, used to trouble-shoot the
    Self-Service framework, can be exploited to remotely retrieve sensitive
    configuration and host information without application authentication. The
    AOL/J Setup Test Suite is installed by default for all 11i implementations.
    A mandatory patch from Oracle is required to solve this security issue.

    Product: Oracle E-Business Suite
    Versions: 11.5.1 - 11.5.8
    Platforms: All platforms
    Risk Level: Low
    _____________________________________________________________________

    Description:

    The Oracle Applications Self-Service Framework (OA Framework) is the
    foundation for self-service HRMS, iProcurement, iExpenses, and other web
    applications. The OA Framework includes a Test Suite used to verify its
    installation and configuration. The AOL/J Setup Test Suite is implemented
    as Java Server Pages (JSP) and the main JSP page is "aoljtest.jsp". The
    AOL/J Setup Test Suite is installed for all 11i web and forms servers in the
    $COMMON_TOP/html/jsp/fnd directory.

    Multiple vulnerabilities exist in the AOL/J Setup Test Suite allowing an
    attacker to obtain valuable information on the configuration of Oracle
    Applications without any database or application authentication. This
    information includes the GUEST user password and application server security
    key.

    Solution:

    Oracle has released a patch for the Oracle E-Business Suite 11i to correct
    this vulnerability. Oracle has corrected multiple vulnerabilities in the
    AOL/J Setup Test Suite JSPs.

    The following Oracle patch must be applied --

          Version Patch
          ------- -----
          11i 2939083 (11.5.1 - 11.5.8)

    Oracle Applications customers should consider this vulnerability low risk
    and apply the above patch during the next normal maintenance cycle.
    Customers with Internet facing application servers should apply the patch
    immediately or consider removing or restricting access to the AOL/J Setup
    Test Suite. In addition, the GUEST user account should be checked to ensure
    that it has only publicly accessible responsibilities assigned to it.

    Appropriate testing and backups should be performed before applying any
    patches.

    Additional Information:

      http://www.integrigy.com/resources.htm
      http://otn.oracle.com/deploy/security/pdf/2003alert55.pdf

    For more information or questions regarding this security alert, please
    contact us at alerts@integrigy.com.

    Credit:

    This vulnerability was discovered by Stephen Kost of Integrigy Corporation.
    ______________________________________________________________________

    About Integrigy Corporation (www.integrigy.com)

    Integrigy Corporation is a leader in application security for large
    enterprise, mission critical applications. Our application vulnerability
    assessment tool, AppSentry, assists companies in securing their largest and
    most important applications. Integrigy Consulting offers security assessment
    services for leading ERP and CRM applications.

    For more information, visit www.integrigy.com.


  • Next message: Michal Zalewski: "[VulnWatch] Certain operating systems can be sometimes locally DoSed when running on particular types of hardware with certain versions of BIOS in specific multiboot configurations (and you thought XSS is too much?)"

    Relevant Pages