Oracle Jinitiator 1.1.8 Vulnerabilities

US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps.



All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the buffer overflows in the Jinitiator ActiveX control – the US-CERT advisory only identifies versions through 1.1.8.16 as vulnerable. Each Jinitiator 1.1.8 version install uses a separate Microsoft Windows CLSID for the vulnerable ActiveX control to allow for multiple versions to co-exist, therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX controls rather than the single CLSID identified in the original advisory. In addition to disabling and uninstalling the vulnerable Jinitiator software, applications currently using vulnerable Jinitiator versions must be upgraded to use version 1.3.x which may also require upgrading the Oracle Forms software running on the server. It is important to note that each Jinitiator version (1.1.8.x) is a separate installation and there could be theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously installed on a client PC, even though only one or two versions are currently being used.



This vulnerability is different than previous Oracle vulnerabilities in that it is in the client web software.  Potentially, all client PCs that have accessed an Oracle Forms application like Oracle E-Business Suite 11i, Oracle Clinical, Retek, Sungard Banner, FLEXCUBE, or any custom Oracle Forms application could be vulnerable.  A targeted attack against your organization may be successful, especially as it requires only one unsuspecting user to click a URL.



DBAs are used to applying patches to fix Oracle security vulnerabilities, but not in this case.  This one requires some work first to identify what is out there and to work with the desktop management team to roll-out an uninstall type solution, especially since there may be 5 or more Jinitiator versions installed on a client PC.  Also, upgrades may be required to Oracle Forms 6i applications in order to support Jinitiator 1.3.1.x.



Integrigy has released a detailed analysis of these vulnerabilities to provide additional information and comprehensive remediation steps. The analysis can be downloaded at -



http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jinitiator-vulnerability.pdf