Reported April 11, 2003, by Stephen Kost.

 

 

VERSIONS AFFECTED

 

Oracle E-Business Suite 11i, releases 10.7, 11.0, and 11.5.1 through 11.5.8

 

DESCRIPTION

 

A vulnerability in the communications protocol that Oracle Applications FND File Server (FNDFS) uses can permit an attacker to bypass any OS, database, and application authentication to retrieve files from Oracle Applications Concurrent Manager servers. If the attacker has direct access to the Concurrent Manager server through SQL*Net, he or she can retrieve sensitive data or files (e.g., any file accessible by the oracle or applmgr accounts) that contain critical passwords.

 

VENDOR RESPONSE

 

Oracle has released a security bulletin regarding this vulnerability and recommends that affected users download and apply the appropriate update.

 

CREDIT

 

Discovered by Stephen Kost of Integrigy Corporation.