Researchers discovered two security flaws impacting Oracle’s iPlanet Web Server, tracked as CVE-2020-9315 and CVE-2020-9314, that could cause sensitive data exposure and limited injection attacks.
The flaws have been discovered by experts at Nightwatch Cybersecurity on January 19, 2020, both resides in the web administration console of the enterprise server management system.
The first issue, tracked as CVE-2020-9315, could allow unauthenticated remote attackers to gain read-only access to any page within the administration console, without authentication, by simply replacing an admin GUI URL for the target page. The vulnerability could result in the leak of sensitive data, including configuration information and encryption keys.
“A vulnerability exists in the web administration console of Oracle’s iPlanet Web Server which makes it possible to read information from any page within the console without authentication.” reads the analysis published by Nightwatch Cybersecurity. “This can result in sensitive data exposure of configuration information about the server including encryption keys, JVM configuration and other data.”
The second issue, tracked as CVE-2020-9314, could be exploited to inject external images which can be used for phishing and social engineering attacks
The CVE-2020-9314 issue resides in the “productNameSrc” parameter of the console. An incomplete fix for CVE-2012-0516 XSS validation flaw allowed for this parameter to be abused in conjunction with “productNameHeight” and “productNameWidth” parameters for the injection of images into a domain.
“The “productNameSrc” parameter in the administration console allows for injection of external images. When used in combination with the “productNameHeight” and “productNameWidth” parameters, this can be used to inject an external image into a site to facilitate phishing. This is due to an incomplete fix for CVE-2012-0516.” continues the report. “The earlier fix added validation against XSS issues but didn’t add validation to make sure an external image is not loaded.”
The two vulnerabilities impact Oracle iPlanet Web Server 7.0.x, that is no longer supported. At the time it is not clear if earlier versions of the application are also affected. According to the experts, the latest versions of Oracle Glassfish and Eclipse Glassfish share common code with iPlanet, but they don’t seem to be vulnerable.
Oracle has no plans to address the security vulnerabilities because the product is no longer supported.
“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” concludes the report.”Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.”
Below the timeline for the issues:
2020-01-19: Initial discovery
2020-01-24: Initial disclosure sent to vendor; rejected since product is not supported
2020-01-24: Clarification questions sent to the vendor
2020-01-27: Report again rejected by vendor; referred to MITRE for CVE assignment
2020-01-29: CVEs requested from MITRE
2020-02-07: Initial report sent to CERT/CC
2020-02-17: CVE request rejected by MITRE, resubmitted with more data
2020-02-18: Response received from CERT/CC
2020-02-20: CVE assignments received from MITRE
2020-02-20: CVEs and disclosure plans communicated to the vendor
2020-05-10: Public disclosure
(SecurityAffairs – Oracle’s iPlanet Web Server, hacking)