Researcher discloses critical flaws in Oracle Forms and Reports

After two years, she became frustrated over Oracle's apparent lack of concern, and has fully disclosed the inner workings her vulnerability discovery.

Researcher Dana Taylor recently disclosed three vulnerabilities found in Oracle's Forms and Reports products, which if exploited would allow an attacker access to the victim's server, or worse, their entire network.

The issues were discovered and reported responsibly in 2011. But in the years since, Taylor feels that Oracle hasn't done enough to protect customers. So she has opted for Full Disclosure of the vulnerabilities and the steps needed to reproduce them.

In a blog post, she made her frustrations clear:

"After working with Oracle starting about 2 years ago, they refused to treat these vulnerabilities as serious and didn’t appropriately address them. If you give a vulnerability a rating of medium/low it is likely not going to get any attention drawn to it by those who manage Oracle servers. I showed Oracle the videos of getting a remote shell on one of their vulnerable systems and they didn’t budge from their current stance."

Noting that she went above and beyond what most vendors and security professionals consider responsible disclosure, Taylor said she is releasing the details of her work publicly in order to hold "vendors responsible for their own vulnerabilities." This includes treating them "with a proper criticality rating as well as taking appropriate action to protect users of their product," she said.

In April of 2011, Taylor disclosed a flaw to Oracle that if exploited, made it possible to dump database passwords with an unauthenticated Web browser. Oracle dismissed the vulnerability, calling it a configuration error.

Later that same year, she reported a second vulnerability. This time, her disclosure addressed problems, which would allow an attacker to view the server's file system in a browser; download any file that the "oracle" account had access to (including SSH keys); load external pages; use the server as a proxy to scan the network; or a firewall bypass, in order to access restricted applications such as Oracle's Enterprise Manager console. Moreover, it's possible to use her discovery to gain a remote shell on the vulnerable server, which would be catastrophic for some organizations.

This time Oracle listened, promising to take action on the second report. When reminded of the first disclosure, Oracle backtracked and changed their stance form it being a configuration error, to acknowledging that it was in fact a legitimate security vulnerability.

Since the initial response from Oracle in November 2011, the software giant has issued workarounds to address the problems, and released a software updates for 11g. But they didn't rank the updates and patches as critical.

This lower assessment level, Taylor says, means that some companies might not have applied them, leaving scores of systems vulnerable to compromise. Moreover, 10g is no longer supported, and Oracle told Taylor to remind people of this fact in her disclosure.

"... as you can see by Oracle’s response, they are willing to let older versions of the software remain vulnerable if workarounds were not put in place. The low severity rating means there are probably more vulnerable servers out there than if it received a high rating.

"And for versions older than 10.x [I am] not sure a workaround even exists. There are a lot of companies and governments that still use outdated versions of Oracle Reports and a simple Google search tells me they are out there. Government entities are usually way behind on software versions."

A Google search for indicators of websites using Oracle Forms and Reports shows more than 6.3 million results. Even if the duplicates and patched servers were removed, there's a high probability that an attacker would discover a vulnerable server and gain access to sensitive information or launch an attack leveraging the credibility of a given government agency or organization.

Salted Hash has reached out to Oracle for additional comment. If they respond, this story will be updated accordingly. In the meantime, if your organization is using Oracle's Forms and Reports, make sure you've applied the proper patches and workarounds.


Copyright © 2014 IDG Communications, Inc.

The 7 best password managers for business