| Oracle Applications FNDFS Vulnerability
Author : Integrigy Security Alerts <email@example.com>
Integrigy Security Advisory
Oracle E-Business Suite FNDFS Vulnerability
April 10, 2003
The Oracle Applications FNDFS program, used to retrieve report output
the Concurrent Manager server, can be used to remotely retrieve any file
from the server without operating system or application authentication.
mandatory patch from Oracle is required to solve this security issue.
Product: Oracle E-Business Suite
Versions: 10.7, 11.0 and 11.5.1 - 11.5.8
Platforms: All platforms
Risk Level: High
There exists a weakness in the communications protocol used by the Oracle
Applications FND File Server (FNDFS) program, also referred to as the
Review Agent (RRA), that may allow an attacker to retrieve any file from
Oracle Applications Concurrent Manager servers bypassing operating system,
database, and application authentication. The Concurrent Manager server
usually also the database server in most implementations. The FNDFS program
is used by the Report Viewer (FNDWRR.exe) and ADI Request Center to retrieve
reports and logs from the Concurrent Manager server.
An attacker can exploit this vulnerability to retrieve sensitive data
files containing critical passwords from the server. Any file accessible
the oracle or applmgr accounts can be retrieved. Direct access to the
Concurrent Manager server via SQL*Net is required.
Oracle has released patches for Oracle Applications 11.0 and 11i to correct
this vulnerability. Oracle has implemented a new security layer in the
communications protocol used by the FNDFS program.
The following Oracle patches must be applied to all servers --
11.0 2782950 (All Releases)
11i 2782945 (11.5.1 - 11.5.8)
Application Desktop Integrator (ADI) users must also apply patch 2778660
allow ADI clients to connect to the new FNDFS program.
Appropriate testing and backups should be performed before applying any
All firewalls should block or filter the SQL*Net protocol, not permitting
any SQL*Net access to the Concurrent Manager or database servers from
Internet or unsecured networks. Please note that the FNDFS program does
run on the standard Oracle SQL*Net port 1521, thus multiple SQL*Net ports
must be blocked or filtered.
Security for the FNDFS TNS Listener should be evaluated and include a
password on the listener and connection limitations to only allow the
application servers access to the listener. Customers running ADI may
be able to limit access to the listener, since ADI's Request Center requires
direct access to the listener from the client. Additional information
security for Oracle TNS listeners can be found at:
For more information or questions regarding this security alert, please
contact us at firstname.lastname@example.org.
This vulnerability was discovered by Stephen Kost of Integrigy Corporation.
Integrigy is a member of the Oracle PartnerNetwork.
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest
most important applications. Integrigy Consulting offers security assessment
services for leading ERP and CRM applications.
For more information, visit www.integrigy.com.