__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Unauthorized Disclosure of Information in E-Business Suite [Oracle Security Alert 55] July 25, 2003 22:00 GMT Number N-129 ______________________________________________________________________________ PROBLEM: A set of Java Server Pages (JSPs) allows users to view product configuration and host system diagnostic information without authentication. SOFTWARE: Oracle E-Business Suite 11i, All Releases Oracle Applications, All Releases DAMAGE: A knowledgeable and malicious user with specialized skills can use the host system diagnostic and product configuration information to exploit Oracle E-Business Suite. SOLUTION: Apply patch as stated in Oracle's security alert. ______________________________________________________________________________ VULNERABILITY The risk is LOW. An attacker may obtain product configuration ASSESSMENT: and host system diagnostic information without authentication, which Oracle believes will permit a malicious user to exploit the E-Business suite. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-129.shtml ORIGINAL BULLETIN: http://otn.oracle.com/deploy/security/pdf/2003alert55.pdf ______________________________________________________________________________ [***** Start Oracle Security Alert 55 *****] Oracle Security Alert 55 Dated: July 23, 2003 Severity: 1 Unauthorized Disclosure of Information in Oracle E-Business Suite Description A potential security vulnerability has been discovered in the Oracle E-Business Suite. A set of JSPs allows users to view product configuration and host system diagnostic information without authentication. Products Affected • Oracle E-Business Suite 11i, All Releases • Oracle Applications, All Releases Platforms Affected All platforms. Required conditions for exploit A user with HTTP access. Risk to exposure Oracle believes a knowledgeable and malicious user with specialized skills can use the host system diagnostic and product configuration information to exploit Oracle E-Business Suite. How to minimize risk There are no workarounds that directly address the potential security vulnerability, but a patch is available (see below). Oracle strongly recommends that customers follow best practices for Oracle E-Business Suite, Note 189367.1 “Best Practices for Keeping Your E-Business Suite Secure” available at http://metalink.oracle.com. Ramification for customer Customers are vulnerable unless the patch fix is applied. Oracle strongly recommends that customers review the severity rating for this Alert and patch accordingly. See http://otn.oracle.com/deploy/security/pdf/oracle_severity_rating s.pdf for a definition of severity ratings. Patch Information The patch disallows standalone access to AOL/J Setup Test JSPs and forces users to sign-on using a secure application schema login. Note: The patch must be applied to all platforms and across all releases of Oracle E-Business Suite Release 11i and Oracle Applications. Fixed by Obtain and install the correct Mandatory Applications Security Patch for your release of E-Business Suite: • Oracle E-Business Suite 11i, All Releases • Oracle Applications, All Releases Download this one-off patch from the Oracle Support Services web site, MetaLink (http://metalink.oracle.com). 1. Click on the Patches button. 2. Click on the "New Metalink Patch Search ". If you are not on the "Simple Search" screen, click on the "Simple Search" button. 3. Input the bug number 2939083 on the "Search by Patch Number" box. 4. Click Go. 5. Select the patch for the appropriate product version. 6. Click Download. Credits Oracle Corporation thanks Stephen Kost of Integrigy Corporation for discovering and promptly bringing this potential security vulnerability to Oracle’s attention. The Integrigy alert is available at http://www.integrigy.com/alerts.htm. Modification History 23-JUL-03: Initial release, version 1 [***** End Oracle Security Alert 55 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-119: Microsoft Internet Security and Acceleration (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack N-120: Unchecked Buffer in Microsoft Windows Shell Could Enable System Compromise N-121: Red Hat Updated Mozilla Packages Fix Security Vulnerability N-122: Red Hat Updated 2.4 Kernel Fixes Vulnerabilities N-123: SGI Login Vulnerabilities N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text N-125: Cumulative Patch for Microsoft SQL Server N-126: Microsoft Unchecked Buffer in DirectX Could Enable System Compromise N-127: Buffer Overflows in EXTPROC of Oracle Database Server N-128: Oracle Buffer Overflow in E-Business Suite