US-CERT released an advisory on August 28, 2007 regarding multiple stack buffer overflows in the Oracle Jinitiator product (Vulnerability Note VU#474433/CVE-2007-4467). Due to limited public technical information on Jinitiator, no access to the Oracle support website, and maybe lack of cooperation from Oracle itself, the information released by US-CERT is incomplete as to the true scope of vulnerable Jinitiator versions, does not identify all vulnerable Jinitiator installs, and has only limited remediation steps. All released Jinitiator 1.1.8 versions from 1.1.8.3 to 1.1.8.25 contain the buffer overflows in the Jinitiator ActiveX control ? the US-CERT advisory only identifies versions through 1.1.8.16 as vulnerable. Each Jinitiator 1.1.8 version install uses a separate Microsoft Windows CLSID for the vulnerable ActiveX control to allow for multiple versions to co-exist, therefore, 15 CLSIDs must be used to disable/identify the vulnerable ActiveX controls rather than the single CLSID identified in the original advisory. In addition to disabling and uninstalling the vulnerable Jinitiator software, applications currently using vulnerable Jinitiator versions must be upgraded to use version 1.3.x which may also require upgrading the Oracle Forms software running on the server. It is important to note that each Jinitiator version (1.1.8.x) is a separate installation and there could be theoretically as many as 15 versions of Jinitiator 1.1.8 simultaneously installed on a client PC, even though only one or two versions are currently being used. Oracle Jinitiator is used by many Oracle Forms applications including mission-critical applications like Oracle E-Business Suite 11i, Oracle Clinical (RDC), Retek/Oracle Retail, Sungard Banner, and i-flex FLEXCUBE. Any client PC that has accessed an Oracle Forms application may have one or more vulnerable Jinitiator versions installed, since obsolete versions are never overwritten or uninstalled. Integrigy has released a detailed analysis of these vulnerabilities to provide additional information and comprehensive remediation steps. The analysis can be downloaded from - http://www.integrigy.com/security-resources/analysis/integrigy-oracle-jiniti ator-vulnerability.pdf
