If not patched, the two security flaws in Oracle's E-Business Suite could let hackers install and run malicious code of their choice on the E-Business Suite server, the company says. Oracle has ranked both of these flaws as "high risk." One flaw is within the suite's Java Server Pages within the AOL/J Setup Test Suite for its E-Business Suite. This flaw could allow an attacker to view server configuration information that could be used to hack the suite.
A second flaw is located in the suite's FNDWRR component. FNDWRR contains a buffer overflow vulnerability that could enable an attacker to crash the program and potentially run malicious code, the company says.
Oracle also is warning of a less serious flaw, a buffer overflow, in its database server. This flaw could enable an attacker to run malicious code on an unpatched system. However, Oracle says the flaw is unlikely to be exploited by a remote attacker; the greatest risk is that the system will be attacked by a corporate insider. Oracle has ranked this flaw as a low risk.
Oracle has detailed information on these vulnerabilities and patches to fix the flaws available here.