A pair of vulnerabilities in Oracle’s iPlanet Web Server have been disclosed that can lead to sensitive data exposure and image injections onto web pages if exploited. However, no patch is forthcoming for either flaw. The bugs (CVE-2020-9315 and CVE-2020-9314) are specifically found in the web administration console of [iPlanet version 7](<https://www.oracle.com/technetwork/middleware/webtier/featuresandbenefits-1-134420.pdf>), which has reached end-of-life and is no longer supported – hence no patches. The first issue allows read-only access to any page within the administration console without authentication. [!(https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) “This can result in sensitive data exposure of configuration information about the server, including encryption keys, Java Virtual machine (JVM) configuration and other data,” researchers at Nightwatch Security said [in a posting](<https://wwws.nightwatchcybersecurity.com/2020/05/10/two-vulnerabilities-in-oracles-iplanet-web-server-cve-2020-9315-and-cve-2020-9314/>) on Sunday about the issue. “We did not perform testing to see whether this vulnerability allows for changes to be made within the console.” Attackers can replace any URL for any page within the administration console, they added. The second issue arises from the “productNameSrc” parameter in the administration console. “When used in combination with the ‘productNameHeight’ and “productNameWidth” parameters, this can be used to inject an external image into a site to facilitate phishing,” according to the researchers. “This is due to an incomplete fix for CVE-2012-0516. The earlier fix added validation against XSS issues but didn’t add validation to make sure an external image is not loaded.” Oracle pointed the researchers to its EOL statement when the bug report was submitted. “Thank you for your report regarding Oracle iPlanet Web Server 7.0.x, which is no longer supported by Oracle,” said the vendor. “Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle. Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.” Even though there’s no patch, all is not lost: Users can implement other controls to mitigate the problem and reduce risk, according to Nightwatch – such as restricting network access to the administration console from the internet. Version 7 if iPlanet is vulnerable, but Nightwatch didn’t test earlier versions. Oracle’s regular [Patch Tuesday updates](<https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/>) are expected tomorrow. **_Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. _**[**_On May 13 at 2 p.m. ET_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_, join Valimail security experts and Threatpost for a FREE webinar, _**[**_5 Proven Strategies to Prevent Email Compromise_**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please _**[**_register here _**](<https://register.gotowebinar.com/register/5064791868226032141?source=ART>)**_for this sponsored webinar._** _**Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, **_[_**A Practical Guide to Securing the Cloud in the Face of Crisis**_](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_**, with critical, advanced takeaways on how to avoid cloud disruption and chaos.**_
Microsegmentation and Isolation: 2 Essential Strategies in Zero-Trust Security
Lawsuit Claims Google Collects Minors’ Locations, Browsing History
Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
Google Updates Ad Policies to Counter Influence Campaigns, Extortion
Lifeline Assistance Phone Users Targeted with 'Uninstallable' Adware
Oracle iPlanet External Image Injection (CVE-2020-9314)
Oracle iPlanet Web Server Authentication Bypass (CVE-2020-9315)
Oracle iPlanet Web Server Multiple Cross Site Scripting Vulnerabilities
In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.
In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege of a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation.
Oracle iPlanet Web Server 7.0.x < 7.0.15 Multiple Vulnerabilities
Android Security Bulletin—October 2020
Oracle / Sun / People Soft / MySQL applications multiple security vulnerabilities
Oracle Critical Patch Update - April 2012