Oracle Plugs Three Security Holes

Oracle has issued patches to plug three security holes in its software suite, including two potentially serious flaws affecting its E-Business and Applications products.

The most serious issue was detected in the Oracle Applications Web Report Review (FNDWRR) program, which is implemented as a CGI. In an advisory, Oracle said a buffer overflow exists in the FNDWRR program that could allow an attacker to gain control of the process and execute arbitrary code
on the server.

“This buffer overflow can be remotely exploited using a web browser and an overly long URL,” the company said, urging users to apply the required
patches immediately. Affected software include the
Oracle E-Business Suite 11i and Oracle Applications 10.x through 11i.

In a separate warning, Oracle said research firm NGS Software found a buffer overflow vulnerability in the Oracle 8i and 9i database server products.

Patches have been issued to plug the uncontrolled buffer in the “CREATE LIBRARY” and “CREATE ANY LIBRARY” SQL functions, the company said. “Users who has been granted access to these functions could possibly exploit this to execute arbitrary code on the database server,” Oracle warned.

A third
alert from the Redwood City, Calif.-based Oracle warned of another flaw in the E-Business suite that could compromise the security of sensitive information.

That hole, discovered by researchers Integrigy, affects the Oracle
E-Business Suite 11i and Oracle Applications 11.x through 11i. The company said the problem existed in the “aoljtest.jsp” script which is part of the OA Framework Test Suite. The script contains multiple vulnerabilities that could allow malicious people to see system information, including the guest users password and application server security key.

Included in the advisory is a patch which restricts access so that only authenticated users can access “aoljtest.jsp”.