An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS). The attacker must have direct SQL*Net access to the database (e.g., SQL*Plus) and to exploit the vulnerability neither of the Oracle Applications security features "Managed SQL*Net Access" and "Server Security" can be enabled. The underlying issue is that Oracle Applications passwords can be easily decrypted using methods previously published. All Oracle Applications implementations should enable at least "Server Security" and preferably also enable "Managed SQL*Net Access".

Oracle E-Business Suite, Information Disclosure