lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002501c35203$d38e1730$6601a8c0@steve>
Date: Thu, 24 Jul 2003 11:51:27 -0500
From: "Integrigy Security Alerts" <alerts@...egrigy.com>
To: <bugtraq@...urityfocus.com>
Subject: Integrigy Security Alert - Oracle E-Business Suite AOL/J Setup Test Information Disclosure



Integrigy Security Alert
______________________________________________________________________

Oracle E-Business Suite AOL/J Setup Test Information Disclosure
July 23, 2003
______________________________________________________________________

Summary:

The Oracle Applications AOL/J Setup Test Suite, used to trouble-shoot the
Self-Service framework, can be exploited to remotely retrieve sensitive
configuration and host information without application authentication.  The
AOL/J Setup Test Suite is installed by default for all 11i implementations.
A mandatory patch from Oracle is required to solve this security issue.

Product:    Oracle E-Business Suite
Versions:   11.5.1 - 11.5.8
Platforms:  All platforms
Risk Level: Low
_____________________________________________________________________

Description:

The Oracle Applications Self-Service Framework (OA Framework) is the
foundation for self-service HRMS, iProcurement, iExpenses, and other web
applications.  The OA Framework includes a Test Suite used to verify its
installation and configuration.  The AOL/J Setup Test Suite is implemented
as Java Server Pages (JSP) and the main JSP page is "aoljtest.jsp".  The
AOL/J Setup Test Suite is installed for all 11i web and forms servers in the
$COMMON_TOP/html/jsp/fnd directory.  

Multiple vulnerabilities exist in the AOL/J Setup Test Suite allowing an
attacker to obtain valuable information on the configuration of Oracle
Applications without any database or application authentication.  This
information includes the GUEST user password and application server security
key.

Solution:

Oracle has released a patch for the Oracle E-Business Suite 11i to correct
this vulnerability.  Oracle has corrected multiple vulnerabilities in the
AOL/J Setup Test Suite JSPs.

The following Oracle patch must be applied --

      Version     Patch
      -------     -----
      11i         2939083     (11.5.1 - 11.5.8)

Oracle Applications customers should consider this vulnerability low risk
and apply the above patch during the next normal maintenance cycle.
Customers with Internet facing application servers should apply the patch
immediately or consider removing or restricting access to the AOL/J Setup
Test Suite.  In addition, the GUEST user account should be checked to ensure
that it has only publicly accessible responsibilities assigned to it.

Appropriate testing and backups should be performed before applying any
patches.

Additional Information:

  http://www.integrigy.com/resources.htm
  http://otn.oracle.com/deploy/security/pdf/2003alert55.pdf

For more information or questions regarding this security alert, please
contact us at alerts@...egrigy.com.

Credit:

This vulnerability was discovered by Stephen Kost of Integrigy Corporation.
______________________________________________________________________

About Integrigy Corporation (www.integrigy.com)

Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest and
most important applications. Integrigy Consulting offers security assessment
services for leading ERP and CRM applications.

For more information, visit www.integrigy.com.





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ