Security Flaws Impacting Oracle’s iPlanet Web Server
Tracked as CVE-2020-9315 and CVE-2020-9314, discovered by experts at Nightwatch Cybersecurity on January 19, 2020, the two flaws are said to reside in the web administration console of the enterprise server management server.
The first issue, known as CVE-2020-9315, could permit unauthenticated remote attackers to secure the read-only access to any page inside the administration console, without validation, by essentially replacing an admin GUI URL for the target page.
The vulnerability could bring about the leak of sensitive information, including configuration information and encryption keys.
While the second tracked as CVE-2020-9314, could be exploited to infuse external images which can be utilized for phishing and social engineering attacks. It lives in the “productNameSrc” parameter of the console.
An inadequate fix for CVE-2012-0516 XSS validation defect considered this parameter to be abused related to “productNameHeight” and “productNameWidth” parameters for the injection of images into a domain.
The two vulnerabilities affect Oracle iPlanet Web Server 7.0.x, that is no longer supported.
At the time it isn’t clear if the earlier versions of the application are likewise influenced. As indicated by the experts, the most recent variants of Oracle Glassfish and Eclipse Glassfish share common code with iPlanet, yet they don’t appear to be vulnerable.
“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” concludes the report published by Nightwatch Cybersecurity. ”Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.”