Unpatched Bugs in Oracle iPlanet Open Door to Info-Disclosure, Injection

A pair of vulnerabilities in Oracle’s iPlanet Web Server have been disclosed that can lead to sensitive data exposure and image injections onto web pages if exploited. However, no patch is forthcoming for either flaw.

The bugs (CVE-2020-9315 and CVE-2020-9314) are specifically found in the web administration console of iPlanet version 7, which has reached end-of-life and is no longer supported – hence no patches.

The first issue allows read-only access to any page within the administration console without authentication.

“This can result in sensitive data exposure of configuration information about the server, including encryption keys, Java Virtual machine (JVM) configuration and other data,” researchers at Nightwatch Security said in a posting on Sunday about the issue. “We did not perform testing to see whether this vulnerability allows for changes to be made within the console.”

Attackers can replace any URL for any page within the administration console, they added.

The second issue arises from the “productNameSrc” parameter in the administration console.

“When used in combination with the ‘productNameHeight’ and “productNameWidth” parameters, this can be used to inject an external image into a site to facilitate phishing,” according to the researchers. “This is due to an incomplete fix for CVE-2012-0516. The earlier fix added validation against XSS issues but didn’t add validation to make sure an external image is not loaded.”

Oracle pointed the researchers to its EOL statement when the bug report was submitted.

“Thank you for your report regarding Oracle iPlanet Web Server 7.0.x, which is no longer supported by Oracle,” said the vendor. “Since Oracle no longer supports Oracle iPlanet Web Server 7.0.x, the policy is that there is no coordinated disclosure involving Oracle. Reporters who discover security vulnerabilities in products that Oracle no longer supports are free to disclose vulnerability details without Oracle participation.”

Even though there’s no patch, all is not lost: Users can implement other controls to mitigate the problem and reduce risk, according to Nightwatch – such as restricting network access to the administration console from the internet.

Version 7 if iPlanet is vulnerable, but Nightwatch didn’t test earlier versions.

Oracle’s regular Patch Tuesday updates are expected tomorrow.

_Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. _On May 13 at 2 p.m. ET_, join Valimail security experts and Threatpost for a FREE webinar, _5 Proven Strategies to Prevent Email Compromise_. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please __register here _for this sponsored webinar.

Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost,A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.