From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 17 Jan 2007 17:31:05 +0200
Subject: [NEWS] Oracle Application Server 10g Directory Traversal
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070117153209.296BC5853@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Oracle Application Server 10g Directory Traversal
------------------------------------------------------------------------
SUMMARY
"Oracle Application Server 10g offers a comprehensive solution for
developing, integrating, and deploying your enterprise's applications,
portals, and Web services. Based on a powerful and scalable J2EE server,
Oracle Application Server 10g provides complete business integration and
business intelligence suites, and best-of-breed portal software. Oracle
Application Server 10g is the only platform designed for grid computing as
well as full lifecycle support for Service-Oriented Architecture (SOA)."
A vulnerable server side component allows remote access to files outside
of the application's root directory with permissions of the LocalSystem
process. No authentication is required.
DETAILS
Vulnerable Systems:
* Oracle Application Server 10g Release 3 (10.1.3.0.0)
The server side component EmChartBean is part of the Oracle Enterprise
Manager 10g Application Server Control Software. EmChartBean is vulnerable
to a directory traversal attack.
The vulnerability can be exploited by sending an unauthenticated http GET
request. Remote access is granted to files outside of the application's
root directory with permissions of the Javaw.exe process, which by default
runs with LocalSystem privileges.
The server side component EmChartBean only exists at runtime, and is
unpacked from a JAR file after an initial call to the login page. Thus, a
single request to the login page is required before an attacker can
successfully exploit the vulnerability.
Vendor Response:
The fix for this security vulnerability is included in Oracle's January
2007 Critical Patch Update. The Critical Patch Update advisory, which
lists the versions affected and contains links to more information and
patches, is available at:
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html>; http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
The main page for Oracle Critical Patch Updates and Security Alerts is
available at:
<http://www.oracle.com/technology/deploy/security/alerts.htm>;
http://www.oracle.com/technology/deploy/security/alerts.htm
Recommendation:
Follow your organization's testing procedures before applying patches or
workarounds. Symantec recommends that customers should apply Oracle's
update as soon as possible.
Oracle strongly recommends applying the Oracle Enterprise Manager patches
released with the January 2007 Critical Patch Update to all instances
affected by this problem.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0222>;
CVE-2007-0222
ADDITIONAL INFORMATION
The information has been provided by <mailto:Oliver_Karow@symantec.com.>
Oliver Karow.
The original article can be found at:
<http://www.securityfocus.com/bid/22027>;
http://www.securityfocus.com/bid/22027
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
