Vulnerability CVE-2003-1116 - CERT Civis.Net

Vulnerability Name:

CVE-2003-1116 (CCN-11768)

Assigned:

2003-04-10

Published:

2003-04-10

Updated:

2017-07-11

Summary:

The communications protocol for the Report Review Agent (RRA), aka FND File Server (FNDFS) program, in Oracle E-Business Suite 10.7, 11.0, and 11.5.1 to 11.5.8 allows remote attackers to bypass authentication and obtain sensitive information from the Oracle Applications Concurrent Manager by spoofing requests to the TNS Listener.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: CCN
Type: VulnWatch Mailing List, Thu Apr 10 2003 - 22:35:12 CDT
Integrigy Security Advisory - Oracle Applications FNDFS Vulnerability

Source: MITRE
Type: CNA
CVE-2003-1116

Source: BUGTRAQ
Type: UNKNOWN
20030411 Integrigy Security Advisory - Oracle Applications FNDFS Vulnerability

Source: CCN
Type: Oracle Security Alert #53
Report Review Agent (RRA/FNDFS) Vulnerability in Oracle E-Business Suite

Source: CONFIRM
Type: Patch, Vendor Advisory
http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf

Source: CCN
Type: SECTRACK ID: 1006550
Oracle E-Business Suite Report Review Agent Discloses Files to Remote Users

Source: SECTRACK
Type: Patch
1006550

Source: MISC
Type: UNKNOWN
http://www.integrigy.com/alerts/FNDFS_Vulnerability.htm

Source: CCN
Type: US-CERT VU#168873
Oracle E-Business Suite Report Review Agent (RRA) allows arbitrary files to be retrieved with no authentication

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#168873

Source: CCN
Type: OSVDB ID: 2326
Oracle E-Business Suite Review Agent (RRA/FNDFS) Protocol TNS Listener Spoof Authentication Bypass

Source: BID
Type: Patch
7325

Source: CCN
Type: BID-7325
Oracle E-Business Suite RRA/FNDFS Arbitrary File Disclosure Vulnerability

Source: XF
Type: UNKNOWN
oracle-rra-authentication-bypass(11768)

Source: XF
Type: UNKNOWN
oracle-rra-authentication-bypass(11768)

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:e-business_suite:10.7:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.7:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.8:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:e-business_suite:11.5.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5.3:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5.4:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5.5:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5.6:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5.7:*:*:*:*:*:*:*

OR cpe:/a:oracle:e-business_suite:11.5.8:*:*:*:*:*:*:*

OR cpe:/a:oracle:applications:10.7:*:*:*:*:*:*:*

OR cpe:/a:oracle:applications:11.0:*:*:*:*:*:*:*

Denotes that component is vulnerable