Potentially, all client PCs that have accessed an Oracle Forms application like Oracle E-Business Suite 11i, Oracle Clinical, Retek, Sungard Banner, FLEXCUBE, or any custom Oracle Forms application could be vulnerable. This vulnerability is different than previous Oracle vulnerabilities in that it is in the client web software. It is important to note that each Jinitiator version (1.1.8.x) is a separate installation and there could be theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously installed on a client PC, even though only one or two versions are currently being used. In addition to disabling and uninstalling the vulnerable Jinitiator software, applications currently using vulnerable Jinitiator versions must be upgraded to use version 1.3.x which may also require upgrading the Oracle Forms software running on the server.
Oracle jinitiator install#
Each Jinitiator 1.1.8 version install uses a separate Microsoft Windows CLSID for the vulnerable ActiveX control to allow for multiple versions to co-exist, therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX controls rather than the single CLSID identified in the original advisory. Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps.Īll released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the buffer overflows in the Jinitiator ActiveX control – the US-CERT advisory only identifies versions through 1.1.8.16 as vulnerable. US-CERT released an advisory on Augregarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467).