Integrigy Security Alert
______________________________________________________________________

Oracle E-Business Suite FNDWRR Buffer Overflow
July 23, 2003
______________________________________________________________________

Summary:

The Oracle Applications FNDWRR CGI program, used to retrieve report =
output
from the Concurrent Manager server via a web browser, has a remotely
exploitable buffer overflow.  A mandatory patch from Oracle is required =
to
solve this security issue.

Product:    Oracle E-Business Suite
Versions:   11.0 and 11.5.1 - 11.5.8
Platforms:  All platforms
Risk Level: High
______________________________________________________________________

Description:

The Oracle Applications Web Report Review (FNDWRR) program is used to =
view
reports and logs in a web browser.  FNDWRR is implemented as a CGI =
program.
The FNDWRR CGI program is named "FNDWRR.exe" on both UNIX and Windows
platforms.

A buffer overflow exists in the FNDWRR program allowing an attacker to
potentially gain control of the process and execute arbitrary code on =
the
server.  This buffer overflow can be remotely exploited using a web =
browser
and an overly long URL.

Solution:

Oracle has released patches for Oracle Applications 11.0 and 11i to =
correct
this vulnerability.  Oracle has fixed the buffer overflow in the FNDWRR
executable and related libraries.

The following Oracle patches must be applied --

      Version     Patch
      -------     -----
      11.0        2919943     (All Releases)
      11i         2919943     (11.5.1 - 11.5.8)

Oracle Applications customers should consider this vulnerability high =
risk
and apply the above patch during the next maintenance cycle.  Customers =
with
Internet facing application servers should apply the patch immediately.

Appropriate testing and backups should be performed before applying any
patches.

Additional Information:

  http://www.integrigy.com/resources.htm
  http://otn.oracle.com/deploy/security/pdf/2003alert56.pdf

For more information or questions regarding this security alert, please
contact us at alerts@integrigy.com.

Credit:

This vulnerability was discovered by Stephen Kost of Integrigy =
Corporation.
______________________________________________________________________

About Integrigy Corporation (www.integrigy.com)

Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest =
and
most important applications. Integrigy Consulting offers security =
assessment
services for leading ERP and CRM applications.

For more information, visit www.integrigy.com.