|
Oracle E-Business Suite access to arbitrary files
|
|
Secunia Advisory:
|
SA8570
|
|
|
Release Date:
|
2003-04-11
|
|
Popularity:
|
5,730 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Exposure of sensitive information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Oracle Applications 10.x
Oracle Applications 11.x
Oracle E-Business Suite 11i
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
Description:
A vulnerability has been identified in Oracle E-Business Suite allowing remote users to retrieve any file readable by the "oracle" or "applmgr" accounts.
The problem exists due to a weakness in the protocol used to communicate with Oracle Applications FND File Server. To exploit this weakness users need access to the Concurrent Manager server via TNS Listener (also known as SQL*Net and Net8).
Solution:
Oracle has issued patches:
http://metalink.oracle.com/
Oracle E-Business Suite 11i
Patch 2782945
Oracle Applications 11.0
Patch 2782950
Oracle Applications 10.7
A patch is not available.
If you use ADI Client, you should also install patch 2778660.
Provided and/or discovered by:
Integrigy Corporation
Original Advisory:
http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf
Other References:
Integrigy have written a guide about how to secure your Oracle Database Listener:
http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
