Concerned with the dangers posed by multiple vulnerabilities left unpatched by Oracle, a security researcher has gone public with information on six flaws -- three high-risk -- and recommends workarounds.
Alexander Kornbrust, a security researcher with Red-Database-Security GmbH, said he "tried to be fair" with Oracle Corp. when it came to releasing details on the flaws. But, he said, "more than 650 days [between 663 and 718 days] should be sufficient, even for a large company." He added that he told Oracle three months ago that he would announce these issues publicly if the company didn't produce a patch in its July roundup of fixes. Kornbrust also offered Oracle additional time to fix the flaws if it needed an extension, but the company never asked for additional time.
And he isn't the only one. It's widely known in the industry that a number of security researchers, including David Litchfield of NGSSoftware, have reported security issues to Oracle that remain unresolved -- in many cases more than a year later.
"Some people assume that there is a communication problem between Oracle and Red-Database-Security. That's possible," Kornbrust said. "But why has David Litchfield also 13 high and four medium security bugs open for almost a year? The next patch is scheduled for October 2005 -- more than one year. I heard similar complaints about slow patch process from iDefense and AppSecInc."
Kornbrust said the most serious of the flaws is the ability to overwrite any file via desname in Oracle Reports. It affects Oracle Reports 6.0, 6i, 9i and 10g. Oracle Reports, a component of the Oracle Application Server, is used in the E-Business Suite and many large customers use it as reporting tool for their enterprise applications. "An attacker could destroy Oracle Application Server on the Web by just modifying a URL," he added. "Vulnerable Reports servers can be found via Google Hacking. Within minutes an attacker could destroy several Application Servers." Click here for a workaround.
He also noted that two flaws that allow OS command execution are particularly serious.
A high-risk flaw in Oracle Forms Services, a component of the Application Server used in Oracle's E-Business Suite and a number of enterprise applications, can allow OS command execution, Kornbrust said. The vulnerability affects Oracle [Web] Forms 4.5, 5.0, 6.0, 6i, 9i and 10g. Click here for his workaround.
"Oracle Forms Services starts forms executables [*.fmx] from any directory and any user on the application server. These forms are executed as user Oracle or System [Windows]," Kornbrust wrote in the advisory. "An attacker able to upload a specially crafted forms executable to the application server is able to run any OS command and can overtake the application server. The upload could be done via Webdav, SMB, Webutil, SAMBA, NFS, FTP, etc. By using the form or module parameter with an absolute path it is possible to execute forms executables from ANY directory and ANY user."
Another high-risk flaw can allow an attacker to run any OS command via unauthorized
The advisory states: "Oracle Reports starts reports executables [*.rep or *.rdf] from any directory and any user on the application server. These reports are executed as user Oracle or System [Windows]. An attacker able to upload a specially crafted reports executable to the application server is able to run any OS command or read and write text files on the application server [e.g. wdbsvr.app containing Oracle passwords]. By using the report parameter with an absolute path it is possible to execute reports executables from ANY directory and ANY user."
The other flaws are less severe and include two medium-risk information disclosure flaws; one in desformat and another in customized parameters. The remaining low-risk cross-site scripting flaw affects Oracle Reports.
"Customers should read the advisories carefully, try to understand the problem(s) and try to implement the workarounds on their test system first," Korbrust recommended. "If everything is working they should implement these workarounds on their production system.
"Customers should also ask Oracle why does it take so long to fix security issues," Kornbrust concluded. "Is Oracle's security team too small to handle all these issues?"