2 Vulnerabilities with no available patch in Oracle iPlanet Web Server

Specialists in a hacking course have revealed the finding of a set of vulnerabilities affecting Oracle iPlanet web server. Tracked as CVE-2020-9315 and CVE-2020-9314, the exploitation of these security flaws enables the exposure of sensitive data and command injection attacks.

The initial report was submitted by researchers at Nightwatch Cybersecurity in early 2020. To be specific, the flaws were found in the enterprise server management tool’s web management console. Below is a brief overview of the vulnerabilities found, alongside with their respective Common Vulnerability Scoring System (CVSS) score.

  • CVE-2020-9315: This vulnerability allows any unauthenticated threat actor to read any page within the console by simply replacing an administrator GUI URL for the target page. Hacking course experts believe this flaw will cause sensitive data to leak, including configuration information and encryption keys
  • CVE-2020-9314: This flaw resides in the console’s “productNameSrc” parameter. An incomplete solution for CVE-2012-0516 (a security issue that contains XSS validation errors) allowed this parameter to be abused along with the parameters “productNameHeight” and “productNameWidth” for image injection into a domain, which could facilitate the deployment of phishing and social engineering campaigns

While Oracle version iPlanet Web Server 7.0.x is exposed to these flaws, it is not yet clear whether previous versions of this solution are also. Hacking course experts point out that the latest versions of Oracle Glassfish and Eclipse Glassfish “share common code” with iPlanet, but “don’t seem to be vulnerable”.

Because iPlanet Web Server 7.0.x is a legacy product and Oracle no longer releases support, the company is unlikely to release security updates. In addition, the vulnerability report specifies that, due to its characteristics, researchers were free to disclose the details of the vulnerability without Oracle’s intervention.

The International Institute of Cyber Security (IICS) recommends that users who still use this software enable other ways to mitigate the risk of exploitation, such as restricting network access or upgrading to a newer version of the software. The company rejected the reports twice as the product is no longer supported, but security flaws were sent for CVE assignment. By February 2, the agency had assigned CVE keys, so they were revealed to the public in May 2020.