Security Weakness in Business Intelligence Reports (Release 11i3)

Creation Date: 04-DEC-2002
Last Revision Date: 04-DEC-2002

Versions Affected

All Oracle Reports under the Oracle Business Intelligence System products Release 11i3

Platforms Affected

All Platforms

Description

A potential security vulnerability has been discovered in the Oracle Business Intelligence System Reports using Oracle Reports.

Oracle Business Intelligence System Reports, using Oracle Reports, contain a vulnerability that allows a knowledgeable and malicious user to bypass the user authentication check and gain unauthorized access to Oracle Reports without proper authentication.

Workaround

Oracle has fixed the potential security vulnerability identified above, under Mandatory Applications Security Patch for bug number 2590251. A patch for each Oracle Business Intelligence product can be downloaded individually (please see patch matrix below). A consolidated patch will also be available for download in the near future. This MetaLink Note will be updated with the consolidated patch number once available.

Patches

Patch Matrix Availability

Product Patch Number
BIM : Marketing Intelligence 2601916
ABM : Activity Based Management 2601866
BIX : Call Center Intelligence 2601931
HRI : HR Intelligence 2601959
CST : Oracle Cost Management 2601947
INV : Oracle Inventory 2601973
WIP : Work in Progress 2601994
QLT : Oracle Quality 2602314
MRP : Material Resource Planning 2602285
POA : Purchasing Intelligence 2593086
PMI : Process Manufacturing Int 2601988
BIL : Sales Intelligence 2601902
FII : Financials Intelligence 2600394
BIC : Customer Intelligence Please contact Oracle Support

If you are running Oracle Reports from any of these Intelligence products of the Oracle Business Intelligence System, Oracle strongly recommends that you apply the corresponding patch from the matrix above. Doing so will avoid this potential security vulnerability in the future.

Download currently available patches from Oracle Worldwide Support Services web site, MetaLink, ( http://metalink.oracle.com). Activate the Patches button to get to the patches web page. Enter patch number for the Intelligence Product you need as indicated in the table above, select a platform and activate the 'Submit' button.

Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch.