Stephen Kost of Integrigy discovered that a vulnerability in the communications protocol that Oracle Applications FND File Server (FNDFS) uses lets an attacker bypass any OS, database, and application authentication to retrieve files from Oracle Applications Concurrent Manager servers. If the attacker has direct access to the Concurrent Manager server through SQL*Net, he or she can retrieve sensitive data or files (e.g., any file that the oracle or applmgr accounts can access) that contain critical passwords. Oracle has released a security bulletin regarding this vulnerability and recommends that affected users download and apply the appropriate update.
http://www.secadministrator.com/articles/index.cfm?articleid=38686
Authentication Bypass Vulnerability in Oracle E-Busines Suite
0 comments
Hide comments