{"vuid":"VU#168873","idnumber":"168873","name":"Oracle E-Business Suite Report Review Agent (RRA) allows arbitrary files to be retrieved with no authentication","keywords":["Oracle","Applications FND File Server","FNDFS","Report Review Agent","RRA","FNDWRR.exe","ADI Request Center","applmgr","arbitrary file","no authentication"],"overview":"A vulnerability in Oracle's E-Business Suite Report Review Agent (RRA) allows arbitrary files to be retrieved with no authentication.","clean_desc":"A vulnerability exists in the Oracle E-Business Suite Report Review Agent (RRA). This vulnerability may allow a remote attacker to retrieve arbitrary information from Oracle Applications Concurrent Manager servers prior to authentication. For more information, please see the following documents: Oracle Security Alert 53\nIntegrity Security Alert","impact":"A remote attacker may be able to retrieve arbitrary information from Oracle Applications Concurrent Manager servers prior to authentication.","resolution":"Apply a vendor supplied patch.","workarounds":"Mitigation Monitor and/or restrict access to the Concurrent Manager server(s). It may be possible to use TCP Wrappers or similar technology to provide improved access control and logging. Additionally, an application-level firewall and Intrusion Detection System (IDS) may be able to filter requests. Note that these workarounds are designed to limit access and detect exploit attempts. These workarounds do not prevent exploitation of this vulnerability. For more information about which ports to filter, please see the Integrity Security Alert.","sysaffected":"","thanks":"This vulnerability was discovered by Stephen Kost of \nIntegrigy Corporation","author":"This document was written by Ian A Finlay.","public":["http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf","http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf","http://www.integrigy.com/alerts/FNDFS_Vulnerability.htm","http://securitytracker.com/alerts/2003/Apr/1006550.html","http://www.oracle.com/applications/index.html"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-04-11T12:51:39Z","publicdate":"2003-04-10T00:00:00Z","datefirstpublished":"2003-04-14T16:53:16Z","dateupdated":"2003-04-14T16:54:43Z","revision":15,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"10","cam_impact":"20","cam_easeofexploitation":"10","cam_attackeraccessrequired":"10","cam_scorecurrent":"9.375","cam_scorecurrentwidelyknown":"11.25","cam_scorecurrentwidelyknownexploited":"18.75","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":9.375,"vulnote":null}