Cyber Security Experts discover two security defects affecting Oracle's iPlanet Web Server that could cause sensitive data exposure and limited injection attacks.
Tracked as CVE-2020-9315 and CVE-2020-9314, discovered by experts at Nightwatch Cybersecurity on January 19, 2020, the two flaws are said to reside in the web administration console of the enterprise server management server.
The first issue, known as CVE-2020-9315, could permit unauthenticated remote attackers to secure the read-only access to any page inside the administration console, without validation, by essentially replacing an admin GUI URL for the target page.
The vulnerability could bring about the leak of sensitive information, including configuration information and encryption keys.
While the second tracked as CVE-2020-9314, could be exploited to infuse external images which can be utilized for phishing and social engineering attacks. It lives in the "productNameSrc" parameter of the console.
An inadequate fix for CVE-2012-0516 XSS validation defect considered this parameter to be abused related to "productNameHeight" and "productNameWidth" parameters for the injection of images into a domain.
The two vulnerabilities affect Oracle iPlanet Web Server 7.0.x, that is no longer supported.
At the time it isn't clear if the earlier versions of the application are likewise influenced. As indicated by the experts, the most recent variants of Oracle Glassfish and Eclipse Glassfish share common code with iPlanet, yet they don't appear to be vulnerable.
“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” concludes the report published by Nightwatch Cybersecurity. ”Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.”
Following is the timeline for the issues:
2020-01-19: Initial discovery
2020-01-24: Initial disclosure sent to the vendor; rejected since the product is not supported
2020-01-24: Clarification questions sent to the vendor
2020-01-27: Report again rejected by vendor; referred to MITRE for CVE assignment
2020-01-29: CVEs requested from MITRE
2020-02-07: Initial report sent to CERT/CC
2020-02-17: CVE request rejected by MITRE, resubmitted with more data
2020-02-18: Response received from CERT/CC
2020-02-20: CVE assignments received from MITRE
2020-02-20: CVEs and disclosure plans communicated to the vendor
2020-05-10: Public disclosure