Oracle iPlanet Web Server has two critical CVE flaws, fix not coming
If you are using Oracle iPlanet Web Server, you should read this news. The Oracle iPlanet Web Server or OiWS is a web server designed especially for small and medium businesses. Security researchers at Nightwatch Cybersecurity have discovered two vulnerabilities in the OiWS web administration console of the enterprise service management system.
The vulnerabilities, both critical, are listed as CVE-2020-9315 and CVE-2020-9314, the security flaws that allow for sensitive data exposure and limited injection attacks.
The first vulnerability, CVE-2020-9315 allows anyone with knowledge of OiWS to read of any page within the console, without authentication, by simply replacing an admin GUI URL for the target page. The Nightwatch researchers say that this bug could result in the leak of sensitive data, including configuration information and encryption keys. The second security flaw, CVE-2020-9314, was discovered in the “productNameSrc” parameter of the console. The CVE is a follow-through of an earlier CVE-2012-0516, an ‘unspecified’ security issue that contains XSS validation problems, allowed for this parameter to be abused in conjunction with “productNameHeight” and “productNameWidth” parameters for the injection of images into a domain for the purposes of phishing and social engineering.
The current Oracle iPlanet Web Server 7.0.x is vulnerable to these issues. The Nightwatch researchers say that the latest versions of Oracle Glassfish and Eclipse Glassfish “share common code” with iPlanet, but they “do not seem to be vulnerable.” As iPlanet Web Server 7.0.x is a legacy product and is no longer supported (.PDF) by Oracle, there are no plans to issue security fixes.