Computerworld
Print Article
Close Window

Oracle warns of security flaws

Two vulnerabilities affect the company's E-Business Suite

Paul Roberts, IDG News Service
 

July 24, 2003 (IDG News Service)

Oracle Corp. warned today of two serious security vulnerabilities in its E-Business Suite product. If left unattended, the software vulnerabilities could enable an attacker to run malicious code on an E-Business Suite server or view product configuration information.
One of the flaws is a buffer overflow vulnerability in an E-Business Suite component called FNDWRR that could let an attacker cause that program to crash, Oracle said.
FNDWRR is a Common Gateway Interface program that lets customers view Oracle reports and log files through a Web browser, according to an alert released by Integrigy Corp., the Chicago-based security research firm that discovered the vulnerabilities. Attackers could use a Web browser and specially crafted URLs to create a buffer overflow, crippling FNDWRR.
Attacks against FNDWRR would not disable the E-Business Suite product, Oracle said. But Integrigy warned that the vulnerabilities could allow attackers to run malicious code on the server running E-Business Suite.
Oracle also announced that a security hole was found in Java Server Pages (JSP) associated with an E-Business Suite component called AOL/J Setup Test Suite.
Part of E-Business Suite's Oracle Applications Self-Service Framework (OA Framework), the Setup Test Suite is installed on all Oracle 11i Web and forms servers and is used to verify the installation and configuration of the OA Framework, Integrigy said. The JSPs contain multiple security vulnerabilities that could enable an attacker to obtain configuration information that could be used to exploit E-Business Suite, according to Integrigy and Oracle.
A patch for the flaw removes the security hole and requires users to sign on before viewing configuration information stored in the JSPs, Oracle said.
The vulnerabilities were both rated "high risk" by the database company, which provided software patches to fix each problem and strongly urged its customers to review the security bulletins and apply the patches.
Yesterday, Oracle also disclosed a third vulnerability that affects the Oracle database product.
That flaw allows a buffer overflow in a database component called EXTPROC that could allow an attacker to run malicious code on an affected machine. Attackers would need to have a valid database log-in with special privileges to be able to take advantage of the flaw, however, and the attacks could not be launched remotely, Oracle said.
An exception was in situations where the Oracle database was connected directly to the Internet without protection from an intervening application server or firewall. However, best-practices guidelines strongly advised customers to avoid such high-risk deployments, Oracle said.
For those reasons, Oracle rated that vulnerability "low risk," saying it was most susceptible to exploitation by "insider attacks" that originate on corporate intranets.
The company released a patch for the buffer overflow vulnerability and recommended that customers review the security alert before applying the patch.
The security alerts and patches are available online from Oracle's Web site.