<<< Date Index >>>     <<< Thread Index >>>

Oracle Jinitiator 1.1.8 Vulnerabilities CVE-2007-4467 - Additional Information



US-CERT released an advisory on August 28, 2007 regarding multiple stack
buffer overflows in the Oracle Jinitiator product (Vulnerability Note
VU#474433/CVE-2007-4467).  Due to limited public technical information on
Jinitiator, no access to the Oracle support website, and maybe lack of
cooperation from Oracle itself, the information released by US-CERT is
incomplete as to the true scope of vulnerable Jinitiator versions, does not
identify all vulnerable Jinitiator installs, and has only limited
remediation steps.

All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the
buffer overflows in the Jinitiator ActiveX control ? the US-CERT advisory
only identifies versions through 1.1.8.16 as vulnerable.  Each Jinitiator
1.1.8 version install uses a separate Microsoft Windows CLSID for the
vulnerable ActiveX control to allow for multiple versions to co-exist,
therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX
controls rather than the single CLSID identified in the original advisory. 
In addition to disabling and uninstalling the vulnerable Jinitiator
software, applications currently using vulnerable Jinitiator versions must
be upgraded to use version 1.3.x which may also require upgrading the Oracle
Forms software running on the server.  It is important to note that each
Jinitiator version (1.1.8.x) is a separate installation and there could be
theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously
installed on a client PC, even though only one or two versions are currently
being used.

Oracle Jinitiator is used by many Oracle Forms applications including
mission-critical applications like Oracle E-Business Suite 11i, Oracle
Clinical (RDC), Retek/Oracle Retail, Sungard Banner, and i-flex FLEXCUBE. 
Any client PC that has accessed an Oracle Forms application may have one or
more vulnerable Jinitiator versions installed, since obsolete versions are
never overwritten or uninstalled.

Integrigy has released a detailed analysis of these vulnerabilities to
provide additional information and comprehensive remediation steps.  The
analysis can be downloaded from -

http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jiniti
ator-vulnerability.pdf