In its latest quarterly Critical Patch Update, Oracle has acknowledged and repaired two security bugs identified by Sjoerd Resink, Senior IT Security Expert at Fox-IT.
The bugs were discovered during one of Fox-IT’s penetration testing assignments in version 10.1.4.3 of Oracle Application Server’s Single Sign-On component.
The first security issue, numbered CVE-2012-3175 by the Common Vulnerabilities and Exposures index, is rated as a 4.3 CVSS risk by Oracle and would allow an attacker to use web applications based on Oracle Application Server as an “open redirect”, i.e. to abuse the public’s confidence in a site to send people a link to a trusted website that would actually result in an automatic redirect to another, potentially malicious, web site. Attackers could also abuse such a vulnerability in specifically targeted phishing attacks (“spear phishing”).
One of the XSS issues is also undetected by Microsoft Internet Explorer’s XSS filtering feature. Another of the 3 XSS issues we reported to Oracle appears to have been first discovered in 2009 by the “Hackers Center Security Group” because it is described accurately on this web page.
Fox-IT recommends that all installations of web applications based on Oracle Application Server be upgraded with the latest Oracle Critical Patch Update as soon as possible.