COMMAND

	Oracle E-Business Suite FNDFS remotely file retrieval

SYSTEMS AFFECTED

	 Product:    Oracle E-Business Suite
	 Versions:   10.7, 11.0 and 11.5.1 - 11.5.8
	 Platforms:  All platforms
	

PROBLEM

	In Integrigy Security Advisory, Stephen Kost  of  Integrigy  Corporation
	[http://www.integrigy.com] found following:
	
	There exists a weakness in  the  communications  protocol  used  by  the
	Oracle Applications FND File Server (FNDFS) program,  also  referred  to
	as the Report  Review  Agent  (RRA),  that  may  allow  an  attacker  to
	retrieve any file from Oracle Applications  Concurrent  Manager  servers
	bypassing operating system, database,  and  application  authentication.
	The Concurrent Manager server is usually also  the  database  server  in
	most implementations. The FNDFS program is used  by  the  Report  Viewer
	(FNDWRR.exe) and ADI Request Center to retrieve reports  and  logs  from
	the Concurrent Manager server.
	
	An attacker can exploit this vulnerability to  retrieve  sensitive  data
	or files  containing  critical  passwords  from  the  server.  Any  file
	accessible by the oracle or applmgr accounts can  be  retrieved.  Direct
	access to the Concurrent Manager server via SQL*Net is required.

SOLUTION

	Oracle has released patches for Oracle  Applications  11.0  and  11i  to
	correct this vulnerability. Oracle has implemented a new security  layer
	in the communications protocol used by the FNDFS program.
	
	The following Oracle patches must be applied to all servers
	
	
	      Version     Patch
	      -------     -----
	      11.0        2782950     (All Releases)
	      11i         2782945     (11.5.1 - 11.5.8)
	
	
	Application  Desktop  Integrator  (ADI)  users  must  also  apply  patch
	2778660 to allow ADI clients to connect to the new FNDFS program.
	
	Appropriate testing and backups should be performed before applying  any
	patches.
	
	All  firewalls  should  block  or  filter  the  SQL*Net  protocol,   not
	permitting any SQL*Net access to  the  Concurrent  Manager  or  database
	servers from the Internet or unsecured networks. Please  note  that  the
	FNDFS program does not run on the standard  Oracle  SQL*Net  port  1521,
	thus multiple SQL*Net ports must be blocked or filtered.
	
	Security for the FNDFS TNS Listener should be evaluated  and  include  a
	password on the listener and connection limitations to  only  allow  the
	application servers access to the listener. Customers  running  ADI  may
	not be able to limit access to the listener, since ADI's Request  Center
	requires direct access to  the  listener  from  the  client.  Additional
	information on security for Oracle TNS listeners can be found at:
	
	
	  http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf
	
	
	Additional Information:
	
	
	  http://www.integrigy.com/resources.htm
	  http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf