Security researchers have disclosed a set of vulnerabilities affecting Oracle’s iPlanet Web Server. The flaws which has been dubbed as CVE-2020-9315 and CVE-2020-9314, allows for sensitive data exposure and limited injection attacks.
The vulnerabilities which were found in the web administration console of the enterprise server management system were first noticed by Nightwatch Cybersecurity researchers on January 19, 2020.
The flaw, CVE-2020-9315 allows to read any page within the console, without authentication, by simply replacing an admin GUI URL for the target page. This bug could lead to leak of sensitive data, including configuration information and encryption keys.
The flaw, CVE-2020-9314, was found in the “productNameSrc” parameter of the console. An incomplete fix for an ‘unspecified’ security issue that contains XSS validation problems, let this parameter to be abused together with “productNameHeight” and “productNameWidth” parameters for the injection of images into a domain for the purposes of phishing and social engineering.
The Oracle iPlanet Web Server version 7.0.x is vulnerable to these issues, and it is not known whether the earlier versions are also affected or not. The latest versions of Oracle Glassfish and Eclipse Glassfish share common code with iPlanet, but they are not vulnerable.
Oracle has not planned to fix the issues as iPlanet Web Server 7.0.x is a legacy product and is no longer supported by Oracle.
The researchers who discovered the security vulnerabilities in products which is no longer supported by Oracle are free to disclose vulnerability details without Oracle participation.
Those organizations who are still using this legacy software are advised that other controls are put in place to mitigate the risk of exploit, such as restricting network access or upgrade it.