TippingPoint Zero Day Initiative

Oracle E-Business Suite Arbitrary Node Deletion Vulnerability

ZDI-07-016: April 17th, 2007

CVE ID

CVE-2007-2170

Affected Vendors

Oracle / PeopleSoft

Affected Products

Database Server

Vulnerability Details

This vulnerability allows remote attackers to delete any existing Document Management node on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability.

The specific flaw exists in the APPLSYS.FND_DM_NODES package. The procedure to delete nodes does not check for a valid session thereby allowing an attacker to arbitrarily delete any node registered, including the root node.

Vendor Response

Oracle / PeopleSoft has issued an update to correct this vulnerability. More details can be found at:

Oracle Critical Patch Update - April 2007

Disclosure Timeline

2007-01-29 - Vulnerability reported to vendor
2007-04-17 - Coordinated public release of advisory

Credit

This vulnerability was discovered by:

Joxean Koret

Published Advisories

ZDI-08-044: Mozilla Firefox

• published 2008-07-17

ZDI-08-043: Sun Microsystems

• published 2008-07-17

ZDI-08-042: Sun Microsystems

• published 2008-07-17

ZDI-08-041: Novell

• published 2008-07-10

ZDI-08-040: Microsoft

• published 2008-06-10

Upcoming Advisories

Microsoft

• reported 2008-07-08, 13 days ago

EMC

• reported 2008-07-07, 14 days ago

EMC

• reported 2008-07-07, 14 days ago

Adobe

• reported 2008-07-03, 18 days ago

Symantec

• reported 2008-06-26, 25 days ago

Recent Press

iPhone and iPod Touch updated with security patches

• published 2008-07-11, CNET

Apple TV gets a security update

• published 2008-07-10, CNET

First reports of a Firefox 3 vulnerability

• published 2008-06-19, BetaNews

Researchers disclose Firefox 3 flaws

• published 2008-06-19, SecurityFocus

Millions of downloads -- and the first critical ...

• published 2008-06-19, SCMagazine