Buffer Overflow
September 11, 2007
Oracle Jinitiator 1.1.8 Vulnerabilities
US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps.
All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the buffer overflows in the Jinitiator ActiveX control – the US-CERT advisory only identifies versions through 1.1.8.16 as vulnerable. Each Jinitiator 1.1.8 version install uses a separate Microsoft Windows CLSID for the vulnerable ActiveX control to allow for multiple versions to co-exist, therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX controls rather than the single CLSID identified in the original advisory. In addition to disabling and uninstalling the vulnerable Jinitiator software, applications currently using vulnerable Jinitiator versions must be upgraded to use version 1.3.x which may also require upgrading the Oracle Forms software running on the server. It is important to note that each Jinitiator version (1.1.8.x) is a separate installation and there could be theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously installed on a client PC, even though only one or two versions are currently being used.
This vulnerability is different than previous Oracle vulnerabilities in that it is in the client web software. Potentially, all client PCs that have accessed an Oracle Forms application like Oracle E-Business Suite 11i, Oracle Clinical, Retek, Sungard Banner, FLEXCUBE, or any custom Oracle Forms application could be vulnerable. A targeted attack against your organization may be successful, especially as it requires only one unsuspecting user to click a URL.
DBAs are used to applying patches to fix Oracle security vulnerabilities, but not in this case. This one requires some work first to identify what is out there and to work with the desktop management team to roll-out an uninstall type solution, especially since there may be 5 or more Jinitiator versions installed on a client PC. Also, upgrades may be required to Oracle Forms 6i applications in order to support Jinitiator 1.3.1.x.
Integrigy has released a detailed analysis of these vulnerabilities to provide additional information and comprehensive remediation steps. The analysis can be downloaded at -
http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jinitiator-vulnerability.pdf
All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the buffer overflows in the Jinitiator ActiveX control – the US-CERT advisory only identifies versions through 1.1.8.16 as vulnerable. Each Jinitiator 1.1.8 version install uses a separate Microsoft Windows CLSID for the vulnerable ActiveX control to allow for multiple versions to co-exist, therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX controls rather than the single CLSID identified in the original advisory. In addition to disabling and uninstalling the vulnerable Jinitiator software, applications currently using vulnerable Jinitiator versions must be upgraded to use version 1.3.x which may also require upgrading the Oracle Forms software running on the server. It is important to note that each Jinitiator version (1.1.8.x) is a separate installation and there could be theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously installed on a client PC, even though only one or two versions are currently being used.
This vulnerability is different than previous Oracle vulnerabilities in that it is in the client web software. Potentially, all client PCs that have accessed an Oracle Forms application like Oracle E-Business Suite 11i, Oracle Clinical, Retek, Sungard Banner, FLEXCUBE, or any custom Oracle Forms application could be vulnerable. A targeted attack against your organization may be successful, especially as it requires only one unsuspecting user to click a URL.
DBAs are used to applying patches to fix Oracle security vulnerabilities, but not in this case. This one requires some work first to identify what is out there and to work with the desktop management team to roll-out an uninstall type solution, especially since there may be 5 or more Jinitiator versions installed on a client PC. Also, upgrades may be required to Oracle Forms 6i applications in order to support Jinitiator 1.3.1.x.
Integrigy has released a detailed analysis of these vulnerabilities to provide additional information and comprehensive remediation steps. The analysis can be downloaded at -
http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jinitiator-vulnerability.pdf
Categories:
July 31, 2006
Un-patched Oracle Database Bugs - E-Business Suite Impact
There are currently three major un-patched and published Oracle Database security bugs and all three bugs impact the Oracle E-Business Suite. All Oracle Applications 11i implementations should review the possible impact on their installations to determine the necessary corrective action. I don't foresee any of these bugs being fixed before the October 2005 Critical Patch Update.
Here is a quick rundown of the bugs --
- The previous fixes for a number of SQL injection bugs in standard Oracle Database packages are flawed and can still be compromised. This is a particularly critical issue in Oracle Applications due to the APPLSYSPUB account and due to the design of the application.
- The View access bypass bug, first inadvertently published by Oracle in April 2006, was not patched in the July 2006 CPU. This bug can be easily exploited in Oracle Applications. Any database account with CREATE VIEW system privilege can insert, update, or delete any data where the account has only select permissions. This bug pretty much blows any data integrity of the application out of the water if you have database accounts with CREATE VIEW privilege.
- An integer overflow exists in the Alter Session statement and can be exploited by the APPLSYSPUB account. Although, advanced knowledge is probably required to exploit this issue, unless someone publishes a detailed exploit.
Integrigy has released an in-depth analysis with possible mitigation steps.
Subscribe via RSS
Add to Google
Add to Yahoo!
Other Services