Date: Fri, 29 Mar 2024 10:56:37 -0400 (EDT) Message-ID: <1408431873.47.1711724197379@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_46_1268674379.1711724197377" ------=_Part_46_1268674379.1711724197377 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history can be found at the end of this file.
Multiple vulnerabilities in Oracle Application Server an= d Oracle = Database have recently been discovered. These vulnerabilities include b= uffer overflows, insecure default settings, failures to enforce access cont= rols, and failure to validate input. The impacts of these vulnerabilities i= nclude the execution of arbitrary commands or code, denial of service, and = unauthorized access to sensitive information.
<= h2>I. DescriptionOracle Application Server includes a web server= based on the Apache HTTP Server= a>. Oracle extends the web server with a variety of different components th= at can be used provide interfaces to database applications. These component= s include, but are not limited to, a Procedural Language/Structured Query L= anguage (PL/SQL) module, Java Server Pages, XSQL Servlets, and Simple Objec= t Access Protocol (SOAP) applications. A number of vulnerabilities have bee= n reported in these and other components used in Oracle Application Server = and Oracle Database.
Although these reports focus primarily on Oracle9i Application Server, O= racle Database products are also affected. In particular, vulnerable versio= ns of the PL/SQL module can be used with Oracle9i Application Server, Oracle9i Database= , and = Oracle8i Database.
The vulnerabilities referenced in this advisory were reported in several= publications by David Litchfield of = NGSSoftware:
For the complete list of Oracle-related vulnerabilities published by the= CERT/CC, please search the Vulnera= bility Notes Database using the term "Oracle". Details about specif= ic vulnerabilies can be found in the appropriate Vulnerability Note.
Several buffer-overflow vulnerabilities exist in the way the PL/SQL modu= le handles HTTP requests and configuration parameters. Default configuratio= n settings in a range of components are insecure, and different components = fail to apply access restrictions uniformly. These vulnerabilities expose b= oth the systems running Oracle Application Server and the information held = in the underlying databases to undue risk.
Two more buffer overflow vulnerabilities exist in code that processes co= nfiguration parameters. These parameters processes configuration parameters= that can be specified via the PL/SQL gateway web administration interface.= By default, access to the PL/SQL gateway web administration interface is n= ot restricted [VU#611776<= /a>].
VU#500203 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via help page request
VU#313280 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via HTTP Location header
VU#750299 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via HTTP request
VU#878603 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via HTTP Authorization header
VU#659043 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via Database Access Descriptor password
VU#923395 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via cache directory name
The default installation of Oracle Application Server includes a number = of insecure configuration settings, such as well-known default passwords an= d unrestricted access to applications and sensitive information.
VU#307835 -= Oracle9i Application Server OWA_UTIL procedures expose sensitive informati= on
VU#736923 -= Oracle 9iAS SOAP components allow anonymous users to deploy applications b= y default
VU#611776 -= Oracle9i Application Server PL/SQL Gateway web administration interface us= es null authentication by default
VU#698467 -= Oracle 9iAS default configuration allows access to "globals.jsa" file
VU#476619 -= Oracle 9iAS default configuration allows arbitrary users to view sensitive= configuration files
VU#712723 -= Oracle 9iAS default configuration uses well-known default passwords
VU#168795 -= Oracle 9iAS allows anonymous remote users to view sensitive Apache service= s by default
VU#278971 -= Oracle 9i Application Server does not adequately handle requests for nonex= istent JSP files thereby disclosing web folder path information
Oracle Application Server does not uniformly enforce access restrictions= . Different components do not adequately check authorization before grantin= g access to protected resources.
VU#180147 -= Oracle 9i Database Server PL/SQL module allows remote command execution wi= thout authentication
VU#193523 -= Oracle9i Application Server allows unauthenticated access to PL/SQL applic= ations via alternate Database Access Descriptor
VU#977251 -= Oracle 9iAS XSQL Servlet ignores file permissions allowing arbitrary users= to view sensitive configuration files
VU#547459 -= Oracle 9iAS creates temporary files when processing JSP requests that are = world-readable
In one case, the PL/SQL module does not properly handle a malformed HTTP= request.
VU#805915 -= Oracle9i Application Server Apache PL/SQL module does not properly handle = HTTP Authorization header
The = impacts of these vulnerabilities include the remote execution of arbitrary = code, remote execution of commands and SQL queries, disclosure of sensitive= information, and denial of service.
This section contains vulnerabilities that permit a= remote intruder to cause a denial of service or execute arbitrary commands= , code, or queries on the system.
Some of these vulnerabilities allow= execution with the privileges of the Apache process. On UNIX systems, the = Apache process typically runs as the "oracle" user. On Windows systems, the= Apache service typically runs as the SYSTEM user; therefore, an attacker c= ould gain complete control of the system by exploiting these vulnerabilitie= s.
VU#500203 - Oracle9i Application Server Apache PL/SQL mo= dule vulnerable to buffer overflow via help page request
VU#313280 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via help page request Location: header
VU#750299 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via HTTP request
VU#878603 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via HTTP Authorization header password parameter
VU#659043 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via Database Access Descriptor password
VU#923395 -= Oracle9i Application Server Apache PL/SQL module vulnerable to buffer over= flow via cache directory name
VU#180147 -= Oracle 9i Database Server PL/SQL module allows remote command execution wi= thout authentication
VU#736923 -= Oracle 9iAS SOAP components allow anonymous users to deploy applications b= y default
VU#712723 -= Oracle 9iAS default configuration uses well-known default passwords
VU#611776 -= Oracle9i Application Server PL/SQL Gateway web administration interface us= es null authentication by default
A number of vulnerabilities disclose configuration information or expose= data stored in underlying databases. Also, insecure applications could all= ow an intruder to execute SQL queries. Oracle system programmers may wish t= o examine these vulnerabilities in Oracle's sample pages to prevent similar= vulnerabilities in their own Oracle applications.
VU#307835 -= Oracle9i Application Server OWA_UTIL PL/SQL application exposes procedures= that are remotely accessible by arbitrary users
VU#193523 -= Oracle 9i Application Server allows unauthenticated access to PL/SQL appli= cations via alternate Database Access Descriptor
VU#698467 -= Oracle 9iAS default configuration allows access to "globals.jsa" file
VU#476619 -= Oracle 9iAS default configuration allows arbitrary users to view sensitive= configuration files
VU#977251 -= Oracle 9iAS XSQL Servlet ignores file permissions allowing arbitrary users= to view sensitive configuration files
VU#168795 -= Oracle 9iAS allows anonymous remote users to view sensitive Apache service= s by default
VU#278971 -= Oracle 9i Application Server does not adequately handle requests for nonex= istent JSP files thereby disclosing web folder path information
VU#547459 -= Oracle 9iAS creates temporary files when processing JSP requests that are = world-readable
In the case where the PL/SQL module does not properly handle an HTTP req= uest, a denial-of-service vulnerability exists. Also, an unsuccessful attem= pt to exploit a buffer overflow vulnerability could crash the Apache servic= e.
VU#805915 -= Oracle9i Application Server Apache PL/SQL module does not properly handle = HTTP Authorization header
Oracle has provided patches and workarounds that address most of these vul= nerabilities. Sites using Oracle Application Server are encouraged to insta= ll the appropriate patches and make the recommended configuration changes p= rovided by Oracle.
Solutions and workarounds for specific vulnerabili= ties can be found in individual Vulnerability Notes and in the following Oracle security alerts:
Security and patch information for Oracle products are available at the = following locations:
Sites using Oracle Application Server may also find David Litchfield's Hackproofing Oracle= Application Server paper useful in describing the impacts and vari= ous interactions of these vulnerabilities.
Oracle has released patches that address some of these vulnerabilities. = Patch information can be found in Oracle Security Alert #28 and Oracle Securi= ty Alert #25 and on the MetaLin= k web site (registration required).
Oracle has provided documentation on changing vulnerable default configu= ration settings. For details, consult individual Vulnerability Notes and th= e Oracle Security Alerts referenced above.
The CERT Coordination Center thanks David Litchfield and Oracle for info= rmation used in this document.
Authors: Art Manion, Jason A. Rafail, and Shawn Van Ittersum
Copyright 2002 Carnegie Mellon University.
Revision History
March 14, 2002: Initial release March 14, 2002: Changed title and references to Appendix A. March 15, 2002: Added Oracle Database language to Description section September 17, 2002: Fixed Oracle search URL