RE: Security Issue with Oracle 9i R2 Databse
- From: "Abhishek Saxena" <AbhishekS@xxxxxxxxxxxxxxx>
- To: <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 30 Jun 2004 13:26:01 +0530
thanks Edger for Doc ....One of my cleint usualy travelled a lot(from =
one country to another) with his Laptop and there some sensitive =
information on his laptop and and connected through Dialup ...he is =
using FOUND SCAN TOOL and he getting this report shown below .=20
*********************************Report**********************************=
************************************
BRIZKN | 165.197.20.181
=20
Apache mod_ssl Off-By-One HTAccess Buffer Overflow =20
Description: =20
A buffer overflow vulnerability in the mod_SSL module for the Apache Web =
server allows remote attackers to execute arbitrary commands on targeted =
hosts. =20
Response from System: =20
=20
Script Output:
http/1.1 200 ok
date: wed, 16 jun 2004 07:24:17 gmt
server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25
last-modified: tue, 20 aug 2002 21:41:18 gmt
etag: "0-89a-3d62b77e"
accept-ranges: bytes
content-length: 2202
connection: close
content-type: text/html
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; ch
=20
Recommendation: =20
Install the latest version of mod_ssl, available from:
http://www.modssl.org/=20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2002-0653 =20
Oracle soaprouter accessible =20
Description: =20
A configuration vulnerability in the Oracle Application Server allows =
remote attackers to perform administrative actions on the targeted =
server. =20
Recommendation: =20
Disable SOAP on the host by commenting-out the following lines from the =
'$ORACLE_HOME/Apache/Jserv/etc/jserv.conf' file:
ApJServGroup group2 1 1
$ORACLE_HOME/Apache/Jserv/etc/jservSoap.properties
ApJServMount /soap/servlet ajpv12://localhost:8200/soap
ApJServMount /dms2 ajpv12://localhost:8200/soap
ApJServGroupMount /soap/servlet balance://group2/soap =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2001-1371 =20
Oracle 9i Database Server iSQL Plus USERID Buffer Overflow =20
Description: =20
A remotely exploitable buffer overflow condition is present the =
authentication process of Oracle iSQL*Plus. =20
Response from System: =20
=20
Script Output:
Request:
/isqlplus
Response:
ed. -->
<meta http-equiv=3D"content-type" content=3D"text/html; =
charset=3Dwindows-1252">
<title>isql*plus release 9.2.0.1.0 production: login</title>
<link rel=3D"stylesheet" href=3D"/iplus/iplus.css" type=3D"tex
=20
Recommendation: =20
Restrict access to the Oracle iSQL*Plus web site via IP address =
restrictions and install the Oracle patch. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2002-1264 =20
Apache mod_ssl Trusted Certificate Authority Buffer Overflow =20
Description: =20
A buffer overflow vulnerability in i2d_SSL_SESSION function in =
Apache-SSL and mod_ssl allows remote attackers to execute arbitrary code =
on targeted hosts. =20
Response from System: =20
=20
Script Output:
http/1.1 200 ok
date: wed, 16 jun 2004 07:14:04 gmt
server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25
last-modified: tue, 20 aug 2002 21:41:18
=20
Recommendation: =20
Update to the latest version of mod_ssl and Apache HTTP Server:
http://httpd.apache.org/download.cgi
http://www.modssl.org/=20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2002-0082 =20
Oracle TNS Listener Unauthorized Access =20
Description: =20
A Oracle TNS Listener has been detected on the host. =20
Recommendation: =20
It is recommended to only allow certain IP's or subnet ranges to access =
the TNS listener. This can be done by adding a rule in the firewall. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2002-0567 =20
Apache Escape Characters Vulnerability =20
Description: =20
A problem exists in Apache's handling of escape characters in access =
logs. =20
Response from System: =20
=20
Script Output:
http/1.1 200 ok
date: wed, 16 jun 2004 07:07:25 gmt
server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25
last-modified: tue, 20 aug 2002 21:41:18
=20
Recommendation: =20
Update to the latest Apache:
http://httpd.apache.org/download.cgi =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0083 =20
Oracle 9i Application/Database Server SOAP DTD Vulnerability =20
Description: =20
Oracle9i Application and Database server contain a vulnerability in the =
processing of SOAP (Simple Object Access Protocol) messages whose XML =
contains carefully constructed Data Type Definitions (DTDs). =20
Recommendation: =20
Workarounds:
If SOAP is protected by client authentication before the processing of =
SOAP XML data structures, unauthenticated clients do not pose a threat; =
for example, SSL sessions protected by Client X.509 certificates are =
protected against unauthenticated clients.
For those sites that do not use SOAP, disabling SOAP is a workaround. =
Disable SOAP by removing or renaming the following SOAP library, which =
is delivered in the following JAR file:
[Oracle Home]/soap/lib/soap.jar
Removing or renaming this library will remove access to SOAP, including =
support for Web services functionality.
Patch Availability:
Please see Metalink Document ID 259556.1:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_da=
tabase_id=3DNOT&p_id=3D259556.1 =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
OpenSSL ASN.1 Parsing Recursion Denial-of-Service =20
Description: =20
A denial-of-service vulnerability in OpenSSL allows remote attackers to =
stop a targeted Web server from responding. =20
Response from System: =20
Script Output:
http/1.1 200 ok
date: wed, 16 jun 2004 07:24:40 gmt
server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25
last-modified: tue, 20 aug 2002 21:41:18 gmt
etag: "0-89a-3d62b77e"
accept-ranges: bytes
content-length: 2202
connection: close
content-type: text/html
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<meta http-equiv=3D"content-type" content=3D"text/html; ch
=20
Recommendation: =20
Update to OpenSSL 0.9.7c or 0.9.6l and later:
http://www.openssl.org/
SGI has released the following patches:
ftp://patches.sgi.com/support/free/security/patches/6.5.19/patch5362.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.20/patch5405.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.21/patch5363.tar
Cisco patches are available to registered users from:
http://www.cisco.com/tacpage/sw-center/ =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0851 =20
Oracle9iAS Web Server Dynamic Monitoring Services access. =20
Description: =20
An unauthorized access to Dynamic Monitoring Services vulnerability =
exists within Oracle9iAS Web Server which discloses sensitive =
information to an attacker. =20
Recommendation: =20
Currently no vendor-supplied patches are available for this issue.
Workaround:
Restricting access to the Dynamic Monitoring Services.
1. From your ~/$ORACLE_HOME$/apache/apache/conf directory, open and =
modify your web server's configuration file (httpd.conf).
2. Restrict access to the following files:
/dms0
/servlet/DMSDump
/dms/DMSDump
/servlet/Spy
/soap/servlet/Spy
/dms/AggreSpy =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2002-0563 =20
Apache Log Files Escape Sequences =20
Description: =20
A vulnerability in the Apache HTTP Server allows remote attackers to =
cause the targeted server to process escape sequences. =20
Recommendation: =20
Update to the latest version of the Apache HTTP server:
http://httpd.apache.org/ =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0020 =20
Oracle9iAS unauthorized Java Process Manager access. =20
Description: =20
An unauthorized access to the Java Process Manager vulnerability exists =
within Oracle9iAS Web Server which discloses sensitive information to an =
attacker. =20
Recommendation: =20
Restricting access to the /oprocmgr-status page.
1. From your ~/$ORACLE_HOME$/apache/apache/conf directory, open and =
modify your web server's configuration file (httpd.conf) to prevent =
access to the /oprocmgr-status page. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
Oracle9iAS Jserv non-existent file request cross site scripting =20
Description: =20
A cross site scripting vulnerability in Oracle9iAS allows attackers to =
execute arbitrary client side scripting code. =20
Recommendation: =20
Oracle has released a patch for this vulnerability.
This patch is available (patch #1554571) on Oracle's Support Services =
site:
http://metalink.oracle.com
To download the patch, register and login to the Oracle Metalink site if =
not already done so. Then simply download the patch to a temp directory, =
and run the patch from there. The patch will have instructions on what =
to do next. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
Oracle sqldemos CSS and database access =20
Description: =20
Vulnerabilities in various demo applets and scripts included with Oracle =
allow remote attackers to conduct cross-site scripting attacks, access =
databases, and perform other actions on the targeted system. =20
Recommendation: =20
Remove demo scripts from servers in a production environment. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
Oracle9iAS Sample Scripts Information Disclosure =20
Description: =20
An information disclosure vulnerability exists within Oracle9i Web =
Server which allows an attacker to gather sensitive information about =
the system. =20
Recommendation: =20
Oracle has released a patch for this vulnerability. To download the =
patch, you must have a membership account with Oracle Support. If you do =
not have one, follow the link below:
http://otn.oracle.com/admin/account/membership.html
If you currently have a support membership, download the patch listed =
below.
OJSP 1.1.2.0.0, which can be obtained here:
http://otn.oracle.com/software/tech/java/servlets/content.html=20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
Oracle9i HTTP Server JSP Path Disclosure =20
Description: =20
A path disclosure vulnerability exists within some versions of Oracle =
HTTP server that allows for an attacker to obtain filesystem =
information.
Recommendation: =20
Oracle has also provided the following workaround:
Ensure that the virtual path in a URL is different from the actual =
directory path when using Oracle Apache JServ. Also, do not use the =
(servletzonepath) directory in 'ApJServMount (servletzonepath) =
(servletzone)' to store data or files. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2001-1372 =20
TRACE HTTP method enabled =20
Description: =20
An information disclosure vulnerability in various Web servers allows =
attackers to retrieve cookies or other sensitive data from Web client =
browsers. =20
Response from System: =20
=20
Script Output:
Request:
TRACE / HTTP/1.1
Host: 2781156533
Cookie: Foundscan=3Dsample-cookie-would-be-here
Script: <script>alert('GOTCHA')</script>
Response:
HTTP/1.1 200 OK
Date: Wed, 16 Jun 2004 07:18:53 GMT
Server: Oracle HTTP Server Powered by Apache/1.3.22 (Win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25
Transfer-Encoding: chunked
Content-Type: message/http
7f
TRACE / HTTP/1.1
Cookie: Foundscan=3Dsample-cookie-would-be-here
Host: 2781156533
Script: <script>alert('GOTCHA')</script>
0
=20
Recommendation: =20
Update your software to the latest version and disable support for the =
HTTP TRACE command.
Microsoft IIS - Use the Microsoft URLScan tool to deny HTTP TRACE =
requests
URLScan Tool:
http://www.microsoft.com/technet/security/tools/urlscan.asp
Apache Software Foundation - Use the ReWrite MOD for Apache to deny HTTP =
TRACE
mod_rewrite:
http://httpd.apache.org/docs/mod/mod_rewrite.html
Sun Microsystems - Sun Alert ID: 50603:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=3Dfsalert/50603 =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
Oracle9iAS soapConfig.xml SOAP Configuration Disclosure =20
Description: =20
A configuration file disclosure vulnerability exists within Oracle9iAS =
which allows an attacker to access sensitive information. =20
Recommendation: =20
Currently no vendor-supplied patches are available for this issue.
Workaround:
Restrict access to 'soapConfig.xml' in httpd.conf.
By default, this file is named soapConfig.xml and is placed in the =
directory $SOAP_HOME/webapps/soap/WEB-INF/config on UNIX or =
%SOAP_HOMEwebappssoapWEB-INFconfig on Windows NT. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2002-0568 =20
Apache rotatelogs Denial of Service =20
Description: =20
A vulnerability in the rotatelogs program for the Apache HTTP Server =
allows remote attackers to stop targeted hosts from logging actions. =
=20
Response from System: =20
=20
Script Output:
http/1.1 200 ok
date: wed, 16 jun 2004 07:37:33 gmt
server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25
last-modified: tue, 20 aug 2002 21:41:18
=20
Recommendation: =20
Update to Apache 1.3.28 or later:
http://httpd.apache.org/ =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0460 =20
FastCGI echo2.exe Cross-site Scripting =20
Description: =20
A cross-site scripting vulnerability in FastCGI echo2.exe CGI script =
allows remote attackers to submit requests containing potentially =
malicious html or scripts to the Web server. =20
Recommendation: =20
Foundstone recommends that you remove the FastCGI sample scripts, =
including echo2.exe, from any server in a production environment. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
Web Server Supports Weak SSL Encryption Certificates =20
Description: =20
The host uses weak cipher keys when communicating using the SSL =
protocol. =20
Recommendation: =20
Enforce the use of 128-bit SSL keys. This may not be possible in all =
situations because keys distributed by some vendors use 40 bits. This =
includes certificates from organizations such as Verisign. When =
configuring communications using SSL, use the highest key strength =
possible. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None =20
***************************************************end of =
report******************************************
thanks=20
Abhishek
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Edgar Chupit
Sent: Wednesday, June 30, 2004 12:26 PM
To: Abhishek Saxena
Subject: Re: Security Issue with Oracle 9i R2 Databse
Hello Abhishek,
AS> 1. Due to some Security concern
what is this concern? can you, please, be more specific.
AS> how can i diable Jserver Option in Oracle Database 9i R2 ...
Please see Note:209870.1 titled "How to Reload the JVM in 9.2.0.X".
For other security related problems, you may wish to wish to visit
Pete Finnigan's site http://www.petefinnigan.com/ it is full of
different security related information.
--=20
Best regards,
Edgar
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
