Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Oracle :: bt713.txt

Integrigy Security Alert - Oracle E-Business Suite AOL/J Setup Test Information Disclosure

Integrigy Security Alert

Oracle E-Business Suite AOL/J Setup Test Information Disclosure
July 23, 2003


The Oracle Applications AOL/J Setup Test Suite, used to trouble-shoot =
Self-Service framework, can be exploited to remotely retrieve sensitive
configuration and host information without application authentication.  =
AOL/J Setup Test Suite is installed by default for all 11i =
A mandatory patch from Oracle is required to solve this security issue.

Product:    Oracle E-Business Suite
Versions:   11.5.1 - 11.5.8
Platforms:  All platforms
Risk Level: Low


The Oracle Applications Self-Service Framework (OA Framework) is the
foundation for self-service HRMS, iProcurement, iExpenses, and other web
applications.  The OA Framework includes a Test Suite used to verify its
installation and configuration.  The AOL/J Setup Test Suite is =
as Java Server Pages (JSP) and the main JSP page is "aoljtest.jsp".  The
AOL/J Setup Test Suite is installed for all 11i web and forms servers in =
$COMMON_TOP/html/jsp/fnd directory. =20

Multiple vulnerabilities exist in the AOL/J Setup Test Suite allowing an
attacker to obtain valuable information on the configuration of Oracle
Applications without any database or application authentication.  This
information includes the GUEST user password and application server =


Oracle has released a patch for the Oracle E-Business Suite 11i to =
this vulnerability.  Oracle has corrected multiple vulnerabilities in =
AOL/J Setup Test Suite JSPs.

The following Oracle patch must be applied --

      Version     Patch
      -------     -----
      11i         2939083     (11.5.1 - 11.5.8)

Oracle Applications customers should consider this vulnerability low =
and apply the above patch during the next normal maintenance cycle.
Customers with Internet facing application servers should apply the =
immediately or consider removing or restricting access to the AOL/J =
Test Suite.  In addition, the GUEST user account should be checked to =
that it has only publicly accessible responsibilities assigned to it.

Appropriate testing and backups should be performed before applying any

Additional Information:

For more information or questions regarding this security alert, please
contact us at


This vulnerability was discovered by Stephen Kost of Integrigy =

About Integrigy Corporation (

Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest =
most important applications. Integrigy Consulting offers security =
services for leading ERP and CRM applications.

For more information, visit

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH