Data Leak, Phishing Security Flaws Revealed in Oracle iPlanet Web Server
A set of vulnerabilities affecting Oracle’s iPlanet web server has been disclosed by researchers.
Tracked as CVE-2020-9315 and CVE-2020-9314, security holes allow sensitive data exposure and limited injection attacks.
First discovered by Nightwatch Cyber Security Researchers On January 19, 2020, the issues were detected in the Enterprise Server Management System web administration console.
See also: Cisco: These 12 High-Severity Bugs in ASA and Firepower Security Software Need to be Fixed
CVE-2020-9315 allows reading from any console page, without authentication, by simply replacing an administrative GUI URL for the target page. Researchers say this bug could lead to the leakage of sensitive data, including configuration information and encryption keys.
The second security flaw, CVE-2020-9314, was discovered in the “productNameSrc” parameter of the console. An incomplete fix for CVE-2012-0516, an “unspecified” security issue that contains XSS validation issues, allowed this parameter to be abused in conjunction with the “productNameHeight” and “productNameWidth” parameters for injecting images into a domain for purposes phishing and social engineering.
Oracle iPlanet Web Server 7.0.x is vulnerable to these issues, but it is not known whether earlier versions of the application are also affected. Researchers say the latest versions of Oracle Glassfish and Eclipse Glassfish “share common code” with iPlanet, but they “don’t appear to be vulnerable.”
As iPlanet Web Server 7.0.x is a legacy product and is No longer supported (.PDF) by Oracle, there are no plans to release any security fixes.
“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” the company said. “Journalists who discover security vulnerabilities in products that Oracle no longer supports are free to disclose the details of the vulnerability without Oracle’s involvement.”
If businesses are still using this legacy software, it is recommended that you put in place other controls to mitigate the risk of operation, such as restricting network access or performing an upgrade.
Following the findings, the researchers initially sent their findings to Cisco on January 24. The tech giant has twice rejected the reports as the product is no longer supported, but security vulnerabilities have always been reported to MITER for a CVE assignment. On February 2, the agency had assigned CVE numbers, which led to a public disclosure in May.
Several months ago, Cisco disclosed and fixed a dozen high-severity vulnerabilities affecting the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software suites.
A total of eight denial of service bugs, a memory leak issue, a routing issue, and an authentication bypass vulnerability – the most severe with a CVSS score of 9.1 – have been fixed.
ZDNet has contacted Cisco and will update when we get back.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0