In its latest quarterly Critical Patch Update, Oracle has acknowledged and repaired two security bugs identified by Sjoerd Resink, Senior IT Security Expert at Fox-IT.
The bugs were discovered during one of Fox-IT’s penetration testing assignments in version 10.1.4.3 of Oracle Application Server’s Single Sign-On component.
The first security issue, numbered CVE-2012-3175 by the Common Vulnerabilities and Exposures index, is rated as a 4.3 CVSS risk by Oracle and would allow an attacker to use web applications based on Oracle Application Server as an “open redirect”, i.e. to abuse the public’s confidence in a site to send people a link to a trusted website that would actually result in an automatic redirect to another, potentially malicious, web site. Attackers could also abuse such a vulnerability in specifically targeted phishing attacks (“spear phishing”).
The second bug (CVE-2012-0518), is actually a collection of three “Cross-Site Scripting” or XSS vulnerabilities in Oracle Application Server. It is also risk-rated at 4.3 by Oracle but is potentially more serious (in our opinion, the CVSS vulnerability scoring system tends to under-rate XSS issues). By sending people specially-crafted links to a web application based on Oracle Application Server, attackers can run Javascript code in the context of the vulnerable application. This means that an attacker can control how an application looks, and what an application does, if a user goes to the application through the attacker’s malicious link. It enables attackers to obtain passwords and/or take control of user sessions in the application in whatever way (s)he chooses.
One of the XSS issues is also undetected by Microsoft Internet Explorer’s XSS filtering feature. Another of the 3 XSS issues we reported to Oracle appears to have been first discovered in 2009 by the “Hackers Center Security Group” because it is described accurately on this web page.
Fox-IT recommends that all installations of web applications based on Oracle Application Server be upgraded with the latest Oracle Critical Patch Update as soon as possible.