Oracle E-Business Suite ADE Vulnerability

posted onMay 24, 2001
by hitbsecnews

Vulnerability in Oracle E-Business
Suite Release 11i Applications
Desktop Integrator

Overview

A potential security vulnerability
has been discovered in Applications
Desktop Integrator (ADI) version
7.X for Oracle E-Business Suite
Release 11i. A debug version of the
FNDPUB11I.DLL was inadvertently
released with a patch to
Applications Desktop Integrator
(ADI) version 7.X. This DLL writes
a debug file to the client machine
that includes the clear text APPS
schema password. A malicious user
could use this DLL to obtain the
APPS schema password and thereby
gain elevated privileges.

Products Affected

Any Oracle E-Business Suite Release 11i installation may be affected by this vulnerability, even if the ADI product is not being used.

Platforms Affected

All platforms.

Solution

The debug version of FNDPUB11I.DLL has been replaced with a production version. In addition, a patch is available that introduces an enhanced security feature, Application Server Security, to prevent the debug DLL from connecting to the database. The complete solution to this vulnerability requires both replacement of the debug version DLL and implementation of the Application Server Security patch.

The patches for this vulnerability can be downloaded from the Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com). Press the "Patches" button to get to the Patch Download page. Click on the link labeled "Click Here for ALL Product Patches". Enter the patch number, select a platform, then press Submit to access the correct patch for your platform.

To obtain the full Application Server Security patch, download patch 1779336. The patch includes:

- Application Server Security feature
- Trusted implementations of middle-tier connection code

If you do not wish to upgrade your middle-tier application servers at this time, a database-only version for the patch is also available as Patch Number 1785034. This patch contains only the Application Server Security feature. As a result of applying this patch, application servers with old connection code will need to be registered as trusted servers before they can access the database. See the README.TXT files associated with the patch for further instructions.

Apply the Application Server Security patch and turn server security 'ON'. The old versions of ADI will no longer be able to connect. New versions of ADI are available which contain a trusted implementation of the FNDPUB11I.DLL connection code. A new version of ADI will be required to connect to a database which has Application Server Security enabled. Obtain the correct ADI patch for your current version:

ADI Version Patch

< --------- -------
7.0 1775480
7.1.2 1775479
7.1.3 1775476

After turning on Application Server Security, it is strongly recommended that the APPS schema password be changed.

Credits

Oracle Corporation wishes to thank Melanie Abbas for discovering this vulnerability.

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Friday, November 1st

Youth of today say passwords are old news, passkeys are the future
Chinese attackers accessed Canadian government networks – for five years
OpenAI launches ChatGPT with Search, taking Google head-on
Here’s the paper no one read before declaring the demise of modern cryptography
Not just ChatGPT anymore: Perplexity and Anthropic’s Claude get desktop apps

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts