Oracle warns of flaws in E-Business suite

Two serious security vulnerabilities on Oracle's E-Business Suite could enable an attacker to run malicious code on an E-Business...

Two serious security vulnerabilities on Oracle's E-Business Suite could enable an attacker to run malicious code on an E-Business Suite server or view product configuration information.

A buffer overflow vulnerability in an E-Business Suite component called FNDWRR could let an attacker cause that program to crash.

FNDWRR is a common gateway interface program that lets customers view Oracle reports and log files through a web browser, according to an alert released by Integrity, the security research firm that discovered the vulnerabilities.

Attackers could use a web browser and specially crafted URLs to create a buffer overflow, crippling FNDWRR.

Oracle insisted that attacks against FNDWRR would not disable the E-Business Suite, but Integrity warned that the vulnerabilities could allow attackers to run malicious code.

Oracle also announced that a security hole was found in Java Server Pages (JSPs) associated with an E-Business Suite component called AOL/J Setup Test Suite.

Part of E-Business Suite's Oracle Applications Self-Service Framework (OA Framework), the Setup Test Suite, is installed on all Oracle 11i web and forms servers and is used to verify the installation and configuration of the OA Framework, Integrity said.

The JSPs contain multiple security vulnerabilities that could enable an attacker to obtain configuration information which could be used to exploit E-Business Suite.

A patch for the hole removes the security hole and requires users to sign on before viewing configuration information stored in the JSPs, Oracle said.

The vulnerabilities were both rated "high risk". Oracle provided software patches to fix each problem and strongly urged its customers to review the security bulletins and apply the patches.

Earlier this week Oracle disclosed a third vulnerability that affects the Oracle Database product.

A buffer overflow in an Database component called EXTPROC could allow an attacker to run malicious code on an affected machine.

Attackers would need to have a valid database login with special privileges to be able to take advantage of the flaw, and attacks could not be launched remotely, Oracle said.

An exception was in situations where the Oracle database was connected directly to the internet without protection from an intervening application server or firewall. However, best-practices guidelines strongly advised customers to avoid such high-risk deployments.

For those reasons, Oracle rated the vulnerability "low risk", saying it was most susceptible to exploitation by "insider attacks" originating on corporate intranets.

Oracle released a patch for the buffer overflow vulnerability and recommended that customers review the security alert before applying the patch.

In April, Oracle issued a patch for a critical buffer overflow vulnerability affecting all supported versions of Oracle database servers.

Meanwhile, Oracle is releasing the ninth update to its E-Business Suite 11i set of business applications, featuring 900 tweaks and features aimed at benefiting customers in a variety of industries.

The updates address capabilities requested by Oracle's customers, most notably in Oracle's financial applications, said Mike Rosser, Oracle's vice president of worldwide applications marketing.

The latest version of Oracle Financials includes more detailed revenue recognition controls, expanded expense audit management tools and reporting features, and extended multicurrency translation options.

A credit management application aids users in evaluating the creditworthiness of customers and prospects. Oracle has built into the software integration hooks with credit information sources such as Dun & Bradstreet's database.

New capabilities in the E-Business Suite 11i.9 have been tailored for companies in more than 20 industries, including defence, automotive, communication, packaged goods, financial services and life sciences.

The updates are available worldwide, via electronic download or CD-Rom, to new Oracle customers and existing customers with maintenance contracts.

Oracle is not working on any major overhauls of the E-Business Suite. It intends to stick with the 11i code base for the foreseeable future, updating it with new incremental releases every six to eight months.

Paul Roberts and Stacy Cowley write for IDG News Service

Read more on IT risk management