search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Oracle E-Business Suite Report Review Agent (RRA) allows arbitrary files to be retrieved with no authentication

Vulnerability Note VU#168873

Original Release Date: 2003-04-14 | Last Revised: 2003-04-14

Overview

A vulnerability in Oracle's E-Business Suite Report Review Agent (RRA) allows arbitrary files to be retrieved with no authentication.

Description

A vulnerability exists in the Oracle E-Business Suite Report Review Agent (RRA). This vulnerability may allow a remote attacker to retrieve arbitrary information from Oracle Applications Concurrent Manager servers prior to authentication. For more information, please see the following documents:

Impact

A remote attacker may be able to retrieve arbitrary information from Oracle Applications Concurrent Manager servers prior to authentication.

Solution

Apply a vendor supplied patch.

Mitigation
Monitor and/or restrict access to the Concurrent Manager server(s). It may be possible to use TCP Wrappers or similar technology to provide improved access control and logging. Additionally, an application-level firewall and Intrusion Detection System (IDS) may be able to filter requests. Note that these workarounds are designed to limit access and detect exploit attempts. These workarounds do not prevent exploitation of this vulnerability. For more information about which ports to filter, please see the Integrity Security Alert.

Vendor Information

168873
 
Affected   Unknown   Unaffected

Oracle Corporation

Updated:  April 14, 2003

Status

  Vulnerable

Vendor Statement

http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was discovered by Stephen Kost of Integrigy Corporation.

This document was written by Ian A Finlay.

Other Information

CVE IDs: None
Severity Metric: 9.38
Date Public: 2003-04-10
Date First Published: 2003-04-14
Date Last Updated: 2003-04-14 16:54 UTC
Document Revision: 14

Sponsored by CISA.