Oracle warns of security flaws

Oracle warned Thursday of two serious security vulnerabilities in its E-Business Suite software.

Oracle warned Thursday of two serious security vulnerabilities in its E-Business Suite software.

If left unattended, the software vulnerabilities could enable an attacker to run malicious code on an E-Business Suite server or view product configuration information.

A buffer overflow vulnerability in an E-Business Suite component called FNDWRR could let an attacker cause that program to crash, Oracle said.

FNDWRR is a CGI (common gateway interface) program that lets customers view Oracle reports and log files through a Web browser, according to an alert released by Integrigy, a security research firm that discovered the vulnerabilities.

Attackers could use a Web browser and specially crafted URLs to create a buffer overflow, crippling FNDWRR.

Attacks against FNDWRR would not disable the E-Business Suite product, Oracle said.

But Integrity warned that the vulnerabilities could allow attackers to run malicious code on the server running E-Business Suite.

Oracle also announced that a security hole was found in Java Server Pages (JSP) associated with an E-Business Suite component called AOL/J Setup Test Suite.

Part of E-Business Suite’s Oracle Applications Self-Service Framework (OA Framework), the Setup Test Suite is installed on all Oracle 11i Web and forms servers and is used to verify the installation and configuration of the OA Framework, Integrity said.

The JSPs contain multiple security vulnerabilities that could enable an attacker to obtain configuration information that could be used to exploit E-Business Suite, according to Integrity and Oracle.

A patch for the hole removes the security hole and requires users to sign on before viewing configuration information stored in the JSPs, Oracle said.

The vulnerabilities were both rated “high risk” by the Redwood City, Calif., database company. Oracle provided software patches to fix each problem and strongly urged its customers to review the security bulletins and apply the patches.

On Wednesday, Oracle also disclosed a third vulnerability that affects the Oracle Database product.

A buffer overflow in an Database component called EXTPROC could allow an attacker to run malicious code on an affected machine.

Attackers would need to have a valid database login with special privileges to be able to take advantage of the flaw, and attacks could not be launched remotely, Oracle said.

An exception was in situations where the Oracle database was connected directly to the Internet without protection from an intervening application server or firewall. However, best-practices guidelines strongly advised customers to avoid such high risk deployments, Oracle said.

For those reasons, Oracle rated the vulnerability “low risk,” saying it was most susceptible to exploitation by “insider attacks” that originate on corporate Intranets.

The company released a patch for the buffer overflow vulnerability and recommended that customers review the security alert before applying the patch.

Oracle last warned of product vulnerabilities in April, when it issued a patch for a critical buffer overflow vulnerability that affected all supported versions of Oracle database servers.