Date: Thu, 10 Apr 2003 22:33:05 -0500
From: Integrigy Security Alerts <[email protected]>
To: [email protected]Subject: Integrigy Security Advisory - Oracle Applications FNDFS Vulnerability
Integrigy Security Advisory
______________________________________________________________________
Oracle E-Business Suite FNDFS Vulnerability
April 10, 2003
______________________________________________________________________
Summary:
The Oracle Applications FNDFS program, used to retrieve report output =
from
the Concurrent Manager server, can be used to remotely retrieve any file
from the server without operating system or application authentication. =
A
mandatory patch from Oracle is required to solve this security issue.
Product: Oracle E-Business Suite
Versions: 10.7, 11.0 and 11.5.1 - 11.5.8
Platforms: All platforms
Risk Level: High
______________________________________________________________________
Description:
There exists a weakness in the communications protocol used by the =
Oracle
Applications FND File Server (FNDFS) program, also referred to as the =
Report
Review Agent (RRA), that may allow an attacker to retrieve any file from
Oracle Applications Concurrent Manager servers bypassing operating =
system,
database, and application authentication. The Concurrent Manager server =
is
usually also the database server in most implementations. The FNDFS =
program
is used by the Report Viewer (FNDWRR.exe) and ADI Request Center to =
retrieve
reports and logs from the Concurrent Manager server.
An attacker can exploit this vulnerability to retrieve sensitive data or
files containing critical passwords from the server. Any file =
accessible by
the oracle or applmgr accounts can be retrieved. Direct access to the
Concurrent Manager server via SQL*Net is required.
Solution:
Oracle has released patches for Oracle Applications 11.0 and 11i to =
correct
this vulnerability. Oracle has implemented a new security layer in the
communications protocol used by the FNDFS program.
The following Oracle patches must be applied to all servers --
Version Patch
------- -----
11.0 2782950 (All Releases)
11i 2782945 (11.5.1 - 11.5.8)
Application Desktop Integrator (ADI) users must also apply patch 2778660 =
to
allow ADI clients to connect to the new FNDFS program.
Appropriate testing and backups should be performed before applying any
patches.
All firewalls should block or filter the SQL*Net protocol, not =
permitting
any SQL*Net access to the Concurrent Manager or database servers from =
the
Internet or unsecured networks. Please note that the FNDFS program does =
not
run on the standard Oracle SQL*Net port 1521, thus multiple SQL*Net =
ports
must be blocked or filtered.
Security for the FNDFS TNS Listener should be evaluated and include a
password on the listener and connection limitations to only allow the
application servers access to the listener. Customers running ADI may =
not
be able to limit access to the listener, since ADI's Request Center =
requires
direct access to the listener from the client. Additional information on
security for Oracle TNS listeners can be found at:
http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
Additional Information:
http://www.integrigy.com/resources.htmhttp://otn.oracle.com/deploy/security/pdf/2003alert53.pdf
For more information or questions regarding this security alert, please
contact us at [email protected].
Credit:
This vulnerability was discovered by Stephen Kost of Integrigy =
Corporation.
Integrigy is a member of the Oracle PartnerNetwork.
_____________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest =
and
most important applications. Integrigy Consulting offers security =
assessment
services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.
