From: "Integrigy Alerts" <alerts@integrigy.com.>
To: <bugtraq@securityfocus.com.>
Subject: Oracle Jinitiator 1.1.8 Vulnerabilities CVE-2007-4467 - Additional Information
Date: Wed, 12 Sep 2007 08:29:57 -0500
Message-ID: <012801c7f541$0360e6b0$0a22b410$@com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thread-Index: Acf1QQMGmKinmA0oTGG+fYuE3Ei44A==
Content-Language: en-us
X-Virus-Scanned: antivirus-gw at tyumen.ru
US-CERT released an advisory on August 28, 2007 regarding multiple stack
buffer overflows in the Oracle Jinitiator product (Vulnerability Note
VU#474433/CVE-2007-4467).=A0 Due to limited public technical information =
on
Jinitiator, no access to the Oracle support website, and maybe lack of
cooperation from Oracle itself, the information released by US-CERT is
incomplete as to the true scope of vulnerable Jinitiator versions, does =
not
identify all vulnerable Jinitiator installs, and has only limited
remediation steps.
All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain =
the
buffer overflows in the Jinitiator ActiveX control =96 the US-CERT =
advisory
only identifies versions through 1.1.8.16 as vulnerable.=A0 Each =
Jinitiator
1.1.8 version install uses a separate Microsoft Windows CLSID for the
vulnerable ActiveX control to allow for multiple versions to co-exist,
therefore, 15 CLSIDs must be used to disable/identify the vulnerable =
ActiveX
controls rather than the single CLSID identified in the original =
advisory.=A0
In addition to disabling and uninstalling the vulnerable Jinitiator
software, applications currently using vulnerable Jinitiator versions =
must
be upgraded to use version 1.3.x which may also require upgrading the =
Oracle
Forms software running on the server.=A0 It is important to note that =
each
Jinitiator version (1.1.8.x) is a separate installation and there could =
be
theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously
installed on a client PC, even though only one or two versions are =
currently
being used.
Oracle Jinitiator is used by many Oracle Forms applications including
mission-critical applications like Oracle E-Business Suite 11i, Oracle
Clinical (RDC), Retek/Oracle Retail, Sungard Banner, and i-flex =
FLEXCUBE.=A0
Any client PC that has accessed an Oracle Forms application may have one =
or
more vulnerable Jinitiator versions installed, since obsolete versions =
are
never overwritten or uninstalled.
Integrigy has released a detailed analysis of these vulnerabilities to
provide additional information and comprehensive remediation steps.=A0 =
The
analysis can be downloaded from -
http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jin=
iti
ator-vulnerability.pdf
