Data leak, phishing security flaws disclosed in Oracle iPlanet Web Server

A set of vulnerabilities impacting Oracle’s iPlanet Web Server has been disclosed by researchers.  

Tracked as CVE-2020-9315 and CVE-2020-9314, the security flaws allow for sensitive data exposure and limited injection attacks.

First discovered by Nightwatch Cybersecurity researchers on January 19, 2020, the issues were found in the web administration console of the enterprise server management system. 

See also: Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching

CVE-2020-9315 permits the read of any page within the console, without authentication, by simply replacing an admin GUI URL for the target page. The researchers say that this bug could result in the leak of sensitive data, including configuration information and encryption keys. 

The second security flaw, CVE-2020-9314, was discovered in the “productNameSrc” parameter of the console. An incomplete fix for CVE-2012-0516,  an ‘unspecified’ security issue that contains XSS validation problems, allowed for this parameter to be abused in conjunction with “productNameHeight” and “productNameWidth” parameters for the injection of images into a domain for the purposes of phishing and social engineering. 

Oracle iPlanet Web Server 7.0.x is vulnerable to these issues, but it is not known if earlier versions of the application are also affected. The researchers say that the latest versions of Oracle Glassfish and Eclipse Glassfish “share common code” with iPlanet, but they “do not seem to be vulnerable.”

As iPlanet Web Server 7.0.x is a legacy product and is no longer supported (.PDF) by Oracle, there are no plans to issue security fixes. 

CNET: Buying an old Android phone? What you should know about privacy and security

“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” the company said. “Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.”

If organizations are still using this legacy software, it is recommended that other controls are put in place to mitigate the risk of exploit, such as restricting network access — or making an upgrade. 

Following the discoveries, the researchers initially sent their findings to Cisco on January 24. The tech giant rejected the reports twice as the product is no longer supported, but the security flaws were still referred to MITRE for CVE assignment. By February 2, the agency had assigned CVE numbers, leading to public disclosure in May. 

TechRepublic: 5 things developers should know about data privacy and security

Several months ago, Cisco disclosed and remedied a dozen high-severity vulnerabilities impacting the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software suites. 

In total, eight denial-of-service bugs, a memory leak problem, a path-traversal issue, and an authentication bypass vulnerability — the most severe earning itself a CVSS score of 9.1 — were patched. 

ZDNet has reached out to Cisco and will update when we get back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0