News

SANS Critical Vulnerability Analysis Vol. 2. No. 29

"The FNDWRR.exe CGI program is a component of the Oracle Applications and E-Business Suite products, and allows web-based viewing of reports and log data. This program contains a buffer overflow vulnerability in handling overlong URLs provided in client web requests. Remote attackers can exploit the flaw to execute arbitrary code with the privileges of the vulnerable server process."

Security Wire - High-risk Vulnerabilities in Oracle E-Business Suite

"Stephen Kost, CTO of security software and services provider Integrigy, has discovered an exploitable buffer-overflow vulnerability in Oracle's E-Business Suite Applications Web Report Review (FNDWRR) program used to view reports and logs in a Web browser."

ComputerWeekly - Oracle warns of flaws in E-Business suite

"Part of E-Business Suite's Oracle Applications Self-Service Framework (OA Framework), the Setup Test Suite, is installed on all Oracle 11i web and forms servers and is used to verify the installation and configuration of the OA Framework, Integrity said."

ComputerWorld - Oracle warns of security flaws

"One of the flaws is a buffer overflow vulnerability in an E-Business Suite component called FNDWRR that could let an attacker cause that program to crash, Oracle said. FNDWRR is a Common Gateway Interface program that lets customers view Oracle reports and log files through a Web browser, according to an alert released by Integrigy Corp., the Chicago-based security research firm that discovered the vulnerabilities."

SANS Critical Vulnerability Analysis Vol. 2. No. 15

"The Oracle E-Business Suite Report Review Agent (RRA) contains a vulnerability that allows remote attackers to read sensitive data on Oracle Applications Concurrent Manager servers, including password files."