COMMAND
Oracle
SYSTEMS AFFECTED
Oracle's ADI 7.1.1.10.1
PROBLEM
Melanie Abbas found following. The version of ADI (Application
Desktop Integrator) 7.1.1.10.1 which was recently shipped with
Oracle's Financial Applications version 11.5.3 contains a major
security breach.
Whenever the software is launched, it creates a file called
dbg.txt on the local hard drive on the system which contains in
PLAIN TEXT the usernames and passwords for both the application
user and the APPS schema!
To explain further, the software runs on Windows systems and uses
the net8 client to talk to the database, however, user's logon as
their application ID and password, not directly to the database.
In order for this to work, the application goes to the database
with a public username/password that must never be changed for
the application to function. The username/password is APPLYSYSPUB
and the password is PUB (this is openly documented). This
database account is able to find the APPS schema and encrypted
password in the database. It then unencrypts the password and
uses it to connect to the database. It has always done this in
order to function, however, for some reason, this release creates
what appears to be a debug file on the local hard drive and stores
this information in PLAIN TEXT!
Since release 11 (we believe) all access to the database for the
financial applications is done by the APPS schema. Thus, the APPS
schema has full control of all the tables within the database!
SOLUTION
The debug version of FNDPUB11I.DLL has been replaced with a
production version. In addition, a patch is available that
introduces an enhanced security feature, Application Server
Security, to prevent the debug DLL from connecting to the
database. The complete solution to this vulnerability requires
both replacement of the debug version DLL and implementation of
the Application Server Security patch. The patches for this
vulnerability can be downloaded from the Oracle Worldwide Support
Services web site, Metalink (http://metalink.oracle.com). Press
the "Patches" button to get to the Patch Download page. Click on
the link labeled "Click Here for ALL Product Patches". Enter the
patch number, select a platform, then press Submit to access the
correct patch for your platform.
To obtain the full Application Server Security patch, download
patch 1779336. The patch includes:
- Application Server Security feature
- Trusted implementations of middle-tier connection code
If you do not wish to upgrade your middle-tier application servers
at this time, a database-only version for the patch is also
available as Patch Number 1785034. This patch contains only the
Application Server Security feature. As a result of applying
this patch, application servers with old connection code will
need to be registered as trusted servers before they can access
the database. See the README.TXT files associated with the patch
for further instructions.
Apply the Application Server Security patch and turn server
security 'ON'. The old versions of ADI will no longer be able to
connect. New versions of ADI are available which contain a
trusted implementation of the FNDPUB11I.DLL connection code. A
new version of ADI will be required to connect to a database
which has Application Server Security enabled. Obtain the correct
ADI patch for your current version:
ADI Version Patch
----------- -----
7.0 1775480
7.1.2 1775479
7.1.3 1775476
After turning on Application Server Security, it is strongly
recommended that the APPS schema password be changed.
The server patch is necessary and with the server security feature
turned fully on, you would also need to supply a pass-key
associated with the machine from which you were attempting to make
the connection. This is intended to prevent access by compromised
code or malicious DLLs. Supported Oracle customers should go to
Metalink for more details and patch availability.