|CERT-In Vulnerability Note
Unauthorized Disclosure of Information in Oracle E-Business Suite
Original Issue Date:July 26, 2003
Severity Rating: HIGH
. Oracle E-Business Suite 11i, All Releases
. Oracle Applications, All Releases
This vulnerability, caused by a set of unsecured Java Server Pages, allows any user to view the product's configuration and host-system information.
It can be exploited to remotely retrieve sensitive configuration and host information without authentication.
The Oracle Applications Self-Service Framework is the foundation for self-service HRMS, iProcurement, iExpenses, and other web applications. A Test Suite, implemented as JSP, verifies the installation and configuration of OA Framework. The main JSP page is "aoljtest.jsp". The AOL/J Setup Test Suite is installed for all 11i web and forms servers in the $COMMON_TOP/html/jsp/fnd directory.
Multiple vulnerabilities in the AOL/J Setup Test Suite allow an attacker to obtain important information on the configuration of Oracle Applications without any database or application authentication. This information includes the GUEST user password and application server security key.
Apply the appropriate patch available at http://metalink.oracle.com for bug number # 2939083.
Appropriate testing and backups should be performed before applying any of these patches.
Oracle Security Alert 55 Dated: July 23, 2003.
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003