SUMMARY

Two vulnerabilities were discovered in the web administration console of Oracle’s iPlanet Web Server which allow for sensitive data exposure and limited injection. The first issue allows read-only access to any page within the administration console without authentication, resulting in sensitive data exposure. The second issue allows for injection of external images which can be used for phishing and social engineering.

These vulnerabilities have been reported to the vendor (Oracle) but the vendor will not be issuing security patches because the affected product is no longer supported. Users are encouraged to implement other controls to mitigate these vulnerabilities such as restricting network access to the administration console from the Internet or switching to a supported platform.

Version 7 has been tested and found to be vulnerable, however, it is unknown whether earlier versions are affected. Latest versions of Oracle Glassfish and Eclipse Glassfish application server (v5) share common code with the affected product, have been tested and do not seem to be vulnerable. MITRE has assigned CVE-2020-9315 to track the sensitive data exposure issue and CVE-2020-9314 to track the injection issue.

ISSUE #1 – SENSITIVE DATA EXPOSURE / ADMIN GUI BYPASS (CVE-2020-9315)

A vulnerability exists in the web administration console of Oracle’s iPlanet Web Server which makes it possible to read information from any page within the console without authentication. This can result in sensitive data exposure of configuration information about the server including encryption keys, JVM configuration and other data. We did not perform testing to see whether this vulnerability allows for changes to be made within the console.

This is accomplished by replacing any URL for any page within the administration console as follows:

• http://%5Btarget%5D/admingui/admingui/*

with:

• http://%5Btarget%5D/admingui/version/*

To replicate, try the following URLs:

• http://%5Btarget%5D/admingui/version/
• http://%5Btarget%5D/admingui/version/serverTasksGeneral?serverTasksGeneral.GeneralWebserverTabs.TabHref=2

ISSUE #2 – IMAGE INJECTION IN THE ADMIN GUI (CVE-2020-9314)

The “productNameSrc” parameter in the administration console allows for injection of external images. When used in combination with the “productNameHeight” and “productNameWidth” parameters, this can be used to inject an external image into a site to facilitate phishing. This is due to an incomplete fix for CVE-2012-0516. The earlier fix added validation against XSS issues but didn’t add validation to make sure an external image is not loaded.

To replicate, try the following URLs:

• http://%5Btarget%5D/admingui/version/Version?&productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500
• http://%5Btarget%5D/admingui/version/Masthead.jsp?productNameSrc=http://www.example.com/test.jpg&productNameHeight=500&productNameWidth=500

VENDOR RESPONSE

Both vulnerabilities have been reported to the vendor (Oracle), however the vendor doesn’t plan to issue security patches since the product is no longer supported, as per the following responses:

Oracle iPlanet Web Server 7.0.x is no longer supported. Please see the life time support document.

And:

Thank you for your report regarding Oracle iPlanet Web Server 7.0.x, which is no longer supported by Oracle. Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle. Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation. Oracle does not assign CVEs for products that are no longer supported. That means, if you want a CVE assigned you will need to contact Mitre.

CERT/CC concurred with the vendor’s assessment.

MITRE has assigned CVE-2020-9315 to track the sensitivity data exposure issue, and CVE-2020-9314 to track the injection issue.

AFFECTED VERSIONS AND MITIGATIONS

Version 7 has been tested and found to be vulnerable, however, it is unknown whether earlier versions are affected. Latest versions of Oracle Glassfish and Eclipse Glassfish application server (v5) share common code with the affected product but have been tested and do not seem to be vulnerable.

Users are encouraged to implement other controls to mitigate these vulnerabilities such as restricting network access to the administration console from the Internet or switching to a supported platform.

REFERENCES

CERT/CC ID: VU#343851
CVEs: CVE-2020-9315 and CVE-2020-9314
Oracle lifetime support documentation: see here
Related vulnerability regarding XSS: CVE-2012-0516 and advisory

CREDITS

We would like to thank Synack for assistance with the disclosure process. Text of the advisory was written by Y. Shafranovich.

TIMELINE

2020-01-19: Initial discovery
2020-01-24: Initial disclosure sent to vendor; rejected since product is not supported
2020-01-24: Clarification questions sent to the vendor
2020-01-27: Report again rejected by vendor; referred to MITRE for CVE assignment
2020-01-29: CVEs requested from MITRE
2020-02-07: Initial report sent to CERT/CC
2020-02-17: CVE request rejected by MITRE, resubmitted with more data
2020-02-18: Response received from CERT/CC
2020-02-20: CVE assignments received from MITRE
2020-02-20: CVEs and disclosure plans communicated to the vendor
2020-05-10: Public disclosure