Oracle warns of security flaws

Oracle Corp. warned Thursday of two serious security vulnerabilities in its E-Business Suite product.

If left unattended, the software vulnerabilities could enable an attacker to run malicious code on an E-Business Suite server or view product configuration information.

A buffer overflow vulnerability in an E-Business Suite component called FNDWRR could let an attacker cause that program to crash, Oracle said.

FNDWRR is a CGI (common gateway interface) program that lets customers view Oracle reports and log files through a Web browser, according to an alert released by Integrity Corp., a security research firm that discovered the vulnerabilities.

Attackers could use a Web browser and specially crafted URLs to create a buffer overflow, crippling FNDWRR.

Attacks against FNDWRR would not disable the E-Business Suite product, Oracle said.

But Integrity warned that the vulnerabilities could allow attackers to run malicious code on the server running E-Business Suite.

Oracle also announced that a security hole was found in Java Server Pages (JSPs) associated with an E-Business Suite component called AOL/J Setup Test Suite.

Part of E-Business Suite’s Oracle Applications Self-Service Framework (OA Framework), the Setup Test Suite is installed on all Oracle 11i Web and forms servers and is used to verify the installation and configuration of the OA Framework, Integrity said.

The JSPs contain multiple security vulnerabilities that could enable an attacker to obtain configuration information that could be used to exploit E-Business Suite, according to Integrity and Oracle.

A patch for the hole removes the security hole and requires users to sign-on before viewing configuration information stored in the JSPs, Oracle said.

The vulnerabilities were both rated “high risk” by the Redwood City, Calif., database company. Oracle provided software patches to fix each problem and strongly urged its customers to review the security bulletins and apply the patches.

On Wednesday, Oracle also disclosed a third vulnerability that affects the Oracle Database product.

A buffer overflow in an Database component called EXTPROC could allow an attacker to run malicious code on an affected machine.

Attackers would need to have a valid database login with special privileges to be able to take advantage of the flaw, and attacks could not be launched remotely, Oracle said.

An exception was in situations where the Oracle database was connected directly to the Internet without protection from an intervening application server or firewall. However, best-practices guidelines strongly advised customers to avoid such high risk deployments, Oracle said.

For those reasons, Oracle rated the vulnerability “low risk,” saying it was most susceptible to exploitation by “insider attacks” that originate on corporate Intranets.

The company released a patch for the buffer overflow vulnerability and recommended that customers review the security alert before applying the patch.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Empowering the hybrid workforce: how technology can build a better employee experience

Across the country, employees from organizations of all sizes expect flexibility...

What’s behind the best customer experience: How to make it real for your business

The best customer experience – the kind that builds businesses and...

Overcoming the obstacles to optimized operations

Network-driven optimization is a top priority for many Canadian business leaders...

Thriving amid Canada’s tech talent shortage

With today’s tight labour market, rising customer demands, fast-evolving cyber threats...

Staying protected and compliant in an evolving IT landscape

Canadian businesses have changed remarkably and quickly over the last few...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now