A set of vulnerabilities impacting Oracle’s iPlanet web server has been revealed by researchers.
Tracked as CVE-2020-9315 and CVE-2020-9314, the security flaws allow exposure of sensitive data and limited injection attacks.
First discovered by Nightwatch Cybersecurity researchers on January 19, 2020, the issues were detected in the Enterprise Server Management System’s web-based administration console.
See also: Cisco: These 12 high-severity bugs in ASA and Firepower security software need to be fixed
CVE-2020-9315 allows reading any page in the console, without authentication, by simply replacing an admin GUI URL for the target page. Researchers say this bug could leak sensitive data, including configuration information and encryption keys.
The second security flaw, CVE-2020-9314, was discovered in the console’s “productNameSrc” parameter. An incomplete fix for CVE-2012-0516, an “unspecified” security issue that contains XSS validation issues, allowed abuse of this parameter in conjunction with the “productNameHeight” and “productNameWidth” parameters for data injection. images in a domain for the purposes of phishing and social engineering.
Oracle iPlanet Web Server 7.0.x is vulnerable to these issues, but it is unknown if earlier versions of the application are also affected. The researchers claim that the latest versions of Oracle Glassfish and Eclipse Glassfish “share common code” with iPlanet, but “do not appear to be vulnerable”.
As iPlanet Web Server 7.0.x is a legacy product and is no longer supported (.PDF) by Oracle, there are no plans to release security patches.
CNET: Buying an old Android phone? What you need to know about privacy and security
“Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle,” the company said. “Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose details of the vulnerability without Oracle’s involvement.”
If organizations are still using this legacy software, it is recommended that other controls be put in place to mitigate the risk of exploitation, such as restricting network access or upgrading.
Following the findings, the researchers initially sent their findings to Cisco on January 24. The tech giant has twice dismissed the reports because the product is no longer supported, but the security flaws have always been referred to MITER for a CVE award. On February 2, the agency had assigned CVE numbers, which led to a public disclosure in May.
TechRepublic: 5 things developers need to know about data privacy and security
Several months ago, Cisco disclosed and patched a dozen high-severity vulnerabilities affecting the Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software suites.
A total of eight denial of service bugs, a memory leak issue, a path traversal issue, and an authentication bypass vulnerability – the most severe earning a CVSS score of 9.1 – have been fixed.
ZDNet has contacted Cisco and will update when we return.
Previous and related coverage
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0