Integrigy Security Advisory
______________________________________________________________________
Oracle E-Business Suite FNDFS Vulnerability
April 10, 2003
______________________________________________________________________
Summary:
The Oracle Applications FNDFS program, used to retrieve report output from
the Concurrent Manager server, can be used to remotely retrieve any file
from the server without operating system or application authentication. A
mandatory patch from Oracle is required to solve this security issue.
Product: Oracle E-Business Suite
Versions: 10.7, 11.0 and 11.5.1 - 11.5.8
Platforms: All platforms
Risk Level: High
______________________________________________________________________
Description:
There exists a weakness in the communications protocol used by the Oracle
Applications FND File Server (FNDFS) program, also referred to as the Report
Review Agent (RRA), that may allow an attacker to retrieve any file from
Oracle Applications Concurrent Manager servers bypassing operating system,
database, and application authentication. The Concurrent Manager server is
usually also the database server in most implementations. The FNDFS program
is used by the Report Viewer (FNDWRR.exe) and ADI Request Center to retrieve
reports and logs from the Concurrent Manager server.
An attacker can exploit this vulnerability to retrieve sensitive data or
files containing critical passwords from the server. Any file accessible by
the oracle or applmgr accounts can be retrieved. Direct access to the
Concurrent Manager server via SQL*Net is required.
Solution:
Oracle has released patches for Oracle Applications 11.0 and 11i to correct
this vulnerability. Oracle has implemented a new security layer in the
communications protocol used by the FNDFS program.
The following Oracle patches must be applied to all servers --
Version Patch
------- -----
11.0 2782950 (All Releases)
11i 2782945 (11.5.1 - 11.5.8)
Application Desktop Integrator (ADI) users must also apply patch 2778660 to
allow ADI clients to connect to the new FNDFS program.
Appropriate testing and backups should be performed before applying any
patches.
All firewalls should block or filter the SQL*Net protocol, not permitting
any SQL*Net access to the Concurrent Manager or database servers from the
Internet or unsecured networks. Please note that the FNDFS program does not
run on the standard Oracle SQL*Net port 1521, thus multiple SQL*Net ports
must be blocked or filtered.
Security for the FNDFS TNS Listener should be evaluated and include a
password on the listener and connection limitations to only allow the
application servers access to the listener. Customers running ADI may not
be able to limit access to the listener, since ADI's Request Center requires
direct access to the listener from the client. Additional information on
security for Oracle TNS listeners can be found at:
http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
Additional Information:
http://www.integrigy.com/resources.htm
http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf
For more information or questions regarding this security alert, please
contact us at alertsat_private
Credit:
This vulnerability was discovered by Stephen Kost of Integrigy Corporation.
Integrigy is a member of the Oracle PartnerNetwork.
_____________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest and
most important applications. Integrigy Consulting offers security assessment
services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.
This archive was generated by hypermail 2b30 : Fri Apr 11 2003 - 23:22:49 PDT