Researcher Discloses Critical Flaws in Oracle Forms and Reports

Researcher Dana Taylor recently disclosed three vulnerabilities found in Oracle’s Forms and Reports products, which if exploited would allow an attacker access to the victim’s server, or worse, their entire network.

The issues were discovered and reported responsibly in 2011. But in the years since, Taylor feels that Oracle hasn’t done enough to protect customers. So she has opted for Full Disclosure of the vulnerabilities and the steps needed to reproduce them.

In a blog post, she made her frustrations clear:

“After working with Oracle starting about 2 years ago, they refused to treat these vulnerabilities as serious and didn’t appropriately address them. If you give a vulnerability a rating of medium/low it is likely not going to get any attention drawn to it by those who manage Oracle servers. I showed Oracle the videos of getting a remote shell on one of their vulnerable systems and they didn’t budge from their current stance.”

Noting that she went above and beyond what most vendors and security professionals consider responsible disclosure, Taylor said she is releasing the details of her work publicly in order to hold “vendors responsible for their own vulnerabilities.” This includes treating them “with a proper criticality rating as well as taking appropriate action to protect users of their product,” she said.

via Researcher discloses critical flaws in Oracle Forms and Reports | CSO Blogs.

———————————————-

Journal of Law & Cyber Warfare | www.jlcw.org The Journal of Law & Cyber Warfare provides a public peer-reviewed law publication to foster open discussion and education of technology, government and legal stakeholder in relation to the complex issue of cyber warfare.  Journal of Law & Cyber Warfare accepts articles written by military, technology, judges, government officials, academic and legal practitioners.  The Journal of Law & Cyber Warfare provides a public peer-reviewed law publication to foster open discussion and education of technology, government and legal stakeholder in relation to the complex issue of cyber warfare.  Journal of Law & Cyber Warfare accepts articles written by military, technology, judges, government officials, academic and legal practitioners. The Journal of Law & Cyber Warfare is honored by the world class caliber editorial board that is involved with the Journal. Thought leaders from forensics, law, warfare, and cyber security are on the Board. The Journal is always looking for interested thought leaders who believe they can contribute in a meaningful fashion to the development of cyber warfare scholarship.