| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 May 2020 14:29:36 -0400 From: Nightwatch Cybersecurity Research <research@...htwatchcybersecurity.com> To: fulldisclosure@...lists.org Subject: [FD] Two vulnerabilities in Oracle’s iPlanet Web Server (CVE-2020-9315 and CVE-2020-9314) (Original blog post here: https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/) SUMMARY Two vulnerabilities were discovered in the web administration console of Oracle’s iPlanet Web Server which allow for sensitive data exposure and limited injection. The first issue allows read-only access to any page within the administration console without authentication, resulting in sensitive data exposure. The second issue allows for injection of external images which can be used for phishing and social engineering. These vulnerabilities have been reported to the vendor (Oracle) but the vendor will not be issuing security patches because the affected product is no longer supported. Users are encouraged to implement other controls to mitigate these vulnerabilities such as restricting network access to the administration console from the Internet or switching to a supported platform. Version 7 has been tested and found to be vulnerable, however, it is unknown whether earlier versions are affected. Latest versions of Oracle Glassfish and Eclipse Glassfish application server (v5) share common code with the affected product, have been tested and do not seem to be vulnerable. MITRE has assigned CVE-2020-9315 to track the sensitive data exposure issue and CVE-2020-9314 to track the injection issue. ISSUE #1 – SENSITIVE DATA EXPOSURE / ADMIN GUI BYPASS (CVE-2020-9315) A vulnerability exists in the web administration console of Oracle’s iPlanet Web Server which makes it possible to read information from any page within the console without authentication. This can result in sensitive data exposure of configuration information about the server including encryption keys, JVM configuration and other data. We did not perform testing to see whether this vulnerability allows for changes to be made within the console. This is accomplished by replacing any URL for any page within the administration console as follows: - http://%5Btarget%5D/admingui/admingui/* with: - http://%5Btarget%5D/admingui/version/* To replicate, try the following URLs: - http://%5Btarget%5D/admingui/version/ - http://%5Btarget%5D/admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.TabHref=2 ISSUE #2 – IMAGE INJECTION IN THE ADMIN GUI (CVE-2020-9314) The “productNameSrc” parameter in the administration console allows for injection of external images. When used in combination with the “productNameHeight” and “productNameWidth” parameters, this can be used to inject an external image into a site to facilitate phishing. This is due to an incomplete fix for CVE-2012-0516. The earlier fix added validation against XSS issues but didn’t add validation to make sure an external image is not loaded. To replicate, try the following URLs: - http://%5Btarget%5D/admingui/version/Version?&productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500 - http://%5Btarget%5D/admingui/version/Masthead.jsp?productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500 VENDOR RESPONSE Both vulnerabilities have been reported to the vendor (Oracle), however the vendor doesn’t plan to issue security patches since the product is no longer supported, as per the following responses: "Oracle iPlanet Web Server 7.0.x is no longer supported. Please see the life time support document." And: "Thank you for your report regarding Oracle iPlanet Web Server 7.0.x, which is no longer supported by Oracle. Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle. Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation. Oracle does not assign CVEs for products that are no longer supported. That means, if you want a CVE assigned you will need to contact Mitre." CERT/CC concurred with the vendor’s assessment. MITRE has assigned CVE-2020-9315 to track the sensitivity data exposure issue, and CVE-2020-9314 to track the injection issue. AFFECTED VERSIONS AND MITIGATIONS Version 7 has been tested and found to be vulnerable, however, it is unknown whether earlier versions are affected. Latest versions of Oracle Glassfish and Eclipse Glassfish application server (v5) share common code with the affected product but have been tested and do not seem to be vulnerable. Users are encouraged to implement other controls to mitigate these vulnerabilities such as restricting network access to the administration console from the Internet or switching to a supported platform. REFERENCES CERT/CC ID: VU#343851 CVEs: CVE-2020-9315 and CVE-2020-9314 Oracle lifetime support documentation: see [https://www.oracle.com/us/assets/lifetime-support-middleware-069163.pdf] Related vulnerability regarding XSS: CVE-2012-0516 and advisory [http://www.pwn2hack.com/2012/04/oracle-iplanet-web-server-709-multiple.html] CREDITS We would like to thank Synack for assistance with the disclosure process. Text of the advisory was written by Y. Shafranovich. TIMELINE 2020-01-19: Initial discovery 2020-01-24: Initial disclosure sent to vendor; rejected since product is not supported 2020-01-24: Clarification questions sent to the vendor 2020-01-27: Report again rejected by vendor; referred to MITRE for CVE assignment 2020-01-29: CVEs requested from MITRE 2020-02-07: Initial report sent to CERT/CC 2020-02-17: CVE request rejected by MITRE, resubmitted with more data 2020-02-18: Response received from CERT/CC 2020-02-20: CVE assignments received from MITRE 2020-02-20: CVEs and disclosure plans communicated to the vendor 2020-05-10: Public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists