Users of Oracle’s applications software have been warned of two new high risk security flaws in the Ebusiness Suite as well as a third in the underlying database.
If not patched, the two security flaws in Ebusiness Suite could let hackers install and run malicious code of their choice on the Ebusiness Suite server. Oracle has ranked both of these flaws as "high risk." One flaw is within the suite's Java Server Pages within the AOL/J Setup Test Suite for its E-Business Suite. This flaw could allow an attacker to view server configuration information that could be used to hack the suite.
"This buffer overflow can be remotely exploited using a web browser and an overly long URL," the company said, urging users to apply the required patches immediately. Affected software include the Oracle E-Business Suite 11i and Oracle Applications 10.x through 11i.
A second flaw is located in the suite's FNDWRR component. FNDWRR contains a buffer overflow vulnerability that could enable an attacker to crash the program and potentially run malicious code, the company says.
That hole, discovered by researchers Integrigy, affects the Oracle E-Business Suite 11i and Oracle Applications 11.x through 11i. The company said the problem existed in the "aoljtest.jsp" script which is part of the OA Framework Test Suite. The script contains multiple vulnerabilities that could allow malicious people to see system information, including the guest users password and application server security key.
Patches are available from the Oracle web site at www.oracle.com