Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Security Issue with Oracle 9i R2 Databse

RE: Security Issue with Oracle 9i R2 Databse

From: Abhishek Saxena <AbhishekS_at_KPITCummins.com>
Date: Wed, 30 Jun 2004 13:26:01 +0530
Message-ID: <4A1BE23A7B777442B60F4B4916AE0F1301F0CCF6@sohm.kpit.com> 





thanks Edger for Doc ....One of my cleint usualy travelled a lot(from =
one country to another) with his Laptop and there some sensitive =
information on his laptop and and connected through Dialup ...he is =
using FOUND SCAN TOOL and he getting this report shown below .=20

*********************************Report**********************************=
************************************

BRIZKN | 165.197.20.181
      =20
Apache mod_ssl Off-By-One HTAccess Buffer Overflow            =20


Description:  =20


A buffer overflow vulnerability in the mod_SSL module for the Apache Web =
server allows remote attackers to execute arbitrary commands on targeted =

hosts.      =20
Response from System:         =20




=20



Script Output:



http/1.1 200 ok


date: wed, 16 jun 2004 07:24:17 gmt


server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25


last-modified: tue, 20 aug 2002 21:41:18 gmt
etag: "0-89a-3d62b77e"


accept-ranges: bytes


content-length: 2202


connection: close


content-type: text/html



<!doctype html public "-//w3c//dtd html 4.0 transitional//en">

<html>

<head>

<meta http-equiv=3D"content-type" content=3D"text/html; ch


      =20
Recommendation:               =20




Install the latest version of mod_ssl, available from:



http://www.modssl.org/=20


Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2002-0653 =20



Oracle soaprouter accessible          =20
Description:  =20


A configuration vulnerability in the Oracle Application Server allows =
remote attackers to perform administrative actions on the targeted =

server.      =20
Recommendation:               =20




Disable SOAP on the host by commenting-out the following lines from the =
'$ORACLE_HOME/Apache/Jserv/etc/jserv.conf' file:



ApJServGroup group2 1 1


$ORACLE_HOME/Apache/Jserv/etc/jservSoap.properties
ApJServMount /soap/servlet ajpv12://localhost:8200/soap
ApJServMount /dms2 ajpv12://localhost:8200/soap
ApJServGroupMount /soap/servlet balance://group2/soap =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2001-1371 =20



Oracle 9i Database Server iSQL Plus USERID Buffer Overflow            =20
Description:  =20


A remotely exploitable buffer overflow condition is present the =
authentication process of Oracle iSQL*Plus.   =20
Response from System:         =20


=20



Script Output:



Request:



/isqlplus



Response:



ed. -->


<meta http-equiv=3D"content-type" content=3D"text/html; =

charset=3Dwindows-1252">


<title>isql*plus release 9.2.0.1.0 production: login</title>

<link rel=3D"stylesheet" href=3D"/iplus/iplus.css" type=3D"tex



      =20
Recommendation:               =20




Restrict access to the Oracle iSQL*Plus web site via IP address =
restrictions and install the Oracle patch.    =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2002-1264 =20



Apache mod_ssl Trusted Certificate Authority Buffer Overflow          =20
Description:  =20


A buffer overflow vulnerability in i2d_SSL_SESSION function in =
Apache-SSL and mod_ssl allows remote attackers to execute arbitrary code =
on targeted hosts.    =20


Response from System:         =20


=20



Script Output:



http/1.1 200 ok


date: wed, 16 jun 2004 07:14:04 gmt


server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25


last-modified: tue, 20 aug 2002 21:41:18


     =20
Recommendation:               =20




Update to the latest version of mod_ssl and Apache HTTP Server:



http://httpd.apache.org/download.cgi



http://www.modssl.org/=20


Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2002-0082 =20



Oracle TNS Listener Unauthorized Access       =20
Description:  =20


A Oracle TNS Listener has been detected on the host.  =20
Recommendation:               =20


It is recommended to only allow certain IP's or subnet ranges to access =
the TNS listener. This can be done by adding a rule in the firewall.  =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2002-0567 =20



Apache Escape Characters Vulnerability        =20
Description:  =20


A problem exists in Apache's handling of escape characters in access =
logs.    =20


Response from System:         =20


=20



Script Output:



http/1.1 200 ok


date: wed, 16 jun 2004 07:07:25 gmt


server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25


last-modified: tue, 20 aug 2002 21:41:18


      =20
Recommendation:               =20




Update to the latest Apache:



http://httpd.apache.org/download.cgi  =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0083 =20



Oracle 9i Application/Database Server SOAP DTD Vulnerability          =20
Description:  =20


Oracle9i Application and Database server contain a vulnerability in the =
processing of SOAP (Simple Object Access Protocol) messages whose XML =
contains carefully constructed Data Type Definitions (DTDs).    =20
Recommendation:               =20


Workarounds:



If SOAP is protected by client authentication before the processing of =
SOAP XML data structures, unauthenticated clients do not pose a threat; =
for example, SSL sessions protected by Client X.509 certificates are =
protected against unauthenticated clients.



For those sites that do not use SOAP, disabling SOAP is a workaround. =
Disable SOAP by removing or renaming the following SOAP library, which =
is delivered in the following JAR file:



[Oracle Home]/soap/lib/soap.jar



Removing or renaming this library will remove access to SOAP, including =
support for Web services functionality.



Patch Availability:



Please see Metalink Document ID 259556.1:



http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_da=
tabase_id=3DNOT&p_id=3D259556.1  =20


Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20


OpenSSL ASN.1 Parsing Recursion Denial-of-Service             =20
Description:  =20


A denial-of-service vulnerability in OpenSSL allows remote attackers to =
stop a targeted Web server from responding.   =20
Response from System:         =20



Script Output:



http/1.1 200 ok


date: wed, 16 jun 2004 07:24:40 gmt


server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25


last-modified: tue, 20 aug 2002 21:41:18 gmt
etag: "0-89a-3d62b77e"


accept-ranges: bytes


content-length: 2202


connection: close


content-type: text/html



<!doctype html public "-//w3c//dtd html 4.0 transitional//en">

<html>

<head>

<meta http-equiv=3D"content-type" content=3D"text/html; ch



     =20
Recommendation:               =20




Update to OpenSSL 0.9.7c or 0.9.6l and later:



http://www.openssl.org/




SGI has released the following patches:

ftp://patches.sgi.com/support/free/security/patches/6.5.19/patch5362.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.20/patch5405.tar
ftp://patches.sgi.com/support/free/security/patches/6.5.21/patch5363.tar


Cisco patches are available to registered users from:
http://www.cisco.com/tacpage/sw-center/       =20


Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0851 =20



Oracle9iAS Web Server Dynamic Monitoring Services access.             =20
Description:  =20


An unauthorized access to Dynamic Monitoring Services vulnerability =
exists within Oracle9iAS Web Server which discloses sensitive =
information to an attacker. =20


Recommendation:               =20


Currently no vendor-supplied patches are available for this issue.



Workaround:



Restricting access to the Dynamic Monitoring Services.



    
  
  1.   From your ~/$ORACLE_HOME$/apache/apache/conf directory, open and =
modify your web server's configuration file (httpd.conf).

  
  2.   Restrict access to the following files:
/dms0
/servlet/DMSDump
/dms/DMSDump
/servlet/Spy
/soap/servlet/Spy
/dms/AggreSpy =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2002-0563 =20

Apache Log Files Escape Sequences             =20
Description:  =20
A vulnerability in the Apache HTTP Server allows remote attackers to =
cause the targeted server to process escape sequences.   =20
Recommendation:               =20
Update to the latest version of the Apache HTTP server:






http://httpd.apache.org/      =20


Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0020 =20



Oracle9iAS unauthorized Java Process Manager access.          =20
Description:  =20


An unauthorized access to the Java Process Manager vulnerability exists =
within Oracle9iAS Web Server which discloses sensitive information to an =
attacker.    =20


Recommendation:               =20


Restricting access to the /oprocmgr-status page.



    
  
  1.   From your ~/$ORACLE_HOME$/apache/apache/conf directory, open and =
modify your web server's configuration file (httpd.conf) to prevent =
access to the /oprocmgr-status page.  =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20
Oracle9iAS Jserv non-existent file request cross site scripting       =20
Description:  =20
A cross site scripting vulnerability in Oracle9iAS allows attackers to =
execute arbitrary client side scripting code.  =20
Recommendation:               =20
Oracle has released a patch for this vulnerability.






This patch is available (patch #1554571) on Oracle's Support Services =
site:


http://metalink.oracle.com



To download the patch, register and login to the Oracle Metalink site if =
not already done so. Then simply download the patch to a temp directory, =
and run the patch from there. The patch will have instructions on what =
to do next.  =20


Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20


Oracle sqldemos CSS and database access       =20
Description:  =20


Vulnerabilities in various demo applets and scripts included with Oracle =
allow remote attackers to conduct cross-site scripting attacks, access =
databases, and perform other actions on the targeted system.  =20
Recommendation:               =20


Remove demo scripts from servers in a production environment. =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20


Oracle9iAS Sample Scripts Information Disclosure              =20
Description:  =20


An information disclosure vulnerability exists within Oracle9i Web =
Server which allows an attacker to gather sensitive information about =
the system.  =20


Recommendation:               =20


Oracle has released a patch for this vulnerability. To download the =
patch, you must have a membership account with Oracle Support. If you do =
not have one, follow the link below:


http://otn.oracle.com/admin/account/membership.html



If you currently have a support membership, download the patch listed =
below.



OJSP 1.1.2.0.0, which can be obtained here:
http://otn.oracle.com/software/tech/java/servlets/content.html=20
Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20


Oracle9i HTTP Server JSP Path Disclosure              =20
Description:  =20


A path disclosure vulnerability exists within some versions of Oracle =
HTTP server that allows for an attacker to obtain filesystem =
information.


Recommendation:               =20


Oracle has also provided the following workaround:



Ensure that the virtual path in a URL is different from the actual =
directory path when using Oracle Apache JServ. Also, do not use the =
(servletzonepath) directory in 'ApJServMount (servletzonepath) =
(servletzone)' to store data or files.  =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CVE-2001-1372 =20



TRACE HTTP method enabled             =20
Description:  =20


An information disclosure vulnerability in various Web servers allows =
attackers to retrieve cookies or other sensitive data from Web client =
browsers. =20


Response from System:         =20


=20



Script Output:



Request:



TRACE / HTTP/1.1



Host: 2781156533


Cookie: Foundscan=3Dsample-cookie-would-be-here
Script: <script>alert('GOTCHA')</script>



Response:



HTTP/1.1 200 OK



Date: Wed, 16 Jun 2004 07:18:53 GMT


Server: Oracle HTTP Server Powered by Apache/1.3.22 (Win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 OpenSSL/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25


Transfer-Encoding: chunked


Content-Type: message/http



7f


TRACE / HTTP/1.1



Cookie: Foundscan=3Dsample-cookie-would-be-here
Host: 2781156533


Script: <script>alert('GOTCHA')</script>
0

      =20
Recommendation:               =20




Update your software to the latest version and disable support for the =
HTTP TRACE command.



Microsoft IIS - Use the Microsoft URLScan tool to deny HTTP TRACE =
requests



URLScan Tool:


http://www.microsoft.com/technet/security/tools/urlscan.asp



Apache Software Foundation - Use the ReWrite MOD for Apache to deny HTTP =
TRACE



mod_rewrite:


http://httpd.apache.org/docs/mod/mod_rewrite.html



Sun Microsystems - Sun Alert ID: 50603:


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=3Dfsalert/50603 =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20


Oracle9iAS soapConfig.xml SOAP Configuration Disclosure       =20
Description:  =20


A configuration file disclosure vulnerability exists within Oracle9iAS =

which allows an attacker to access sensitive information.      =20
Recommendation:               =20




Currently no vendor-supplied patches are available for this issue.



Workaround:



Restrict access to 'soapConfig.xml' in httpd.conf.



By default, this file is named soapConfig.xml and is placed in the =
directory $SOAP_HOME/webapps/soap/WEB-INF/config on UNIX or =
%SOAP_HOMEwebappssoapWEB-INFconfig on Windows NT.      =20
Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2002-0568 =20



Apache rotatelogs Denial of Service           =20
Description:  =20


A vulnerability in the rotatelogs program for the Apache HTTP Server =
allows remote attackers to stop targeted hosts from logging actions.     =
=20


Response from System:         =20


=20



Script Output:



http/1.1 200 ok


date: wed, 16 jun 2004 07:37:33 gmt



server: oracle http server powered by apache/1.3.22 (win32) =
mod_plsql/3.0.9.8.3b mod_ssl/2.8.5 openssl/0.9.6b mod_fastcgi/2.2.12 =
mod_oprocmgr/1.0 mod_perl/1.25


last-modified: tue, 20 aug 2002 21:41:18


     =20
Recommendation:               =20




Update to Apache 1.3.28 or later:



http://httpd.apache.org/      =20


Common Vulnerabilities & Exposures (CVE) Link:=20
CAN-2003-0460 =20



FastCGI echo2.exe Cross-site Scripting        =20
Description:  =20


A cross-site scripting vulnerability in FastCGI echo2.exe CGI script =
allows remote attackers to submit requests containing potentially =
malicious html or scripts to the Web server.   =20
Recommendation:               =20


Foundstone recommends that you remove the FastCGI sample scripts, =
including echo2.exe, from any server in a production environment.   =20
Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20


Web Server Supports Weak SSL Encryption Certificates          =20
Description:  =20


The host uses weak cipher keys when communicating using the SSL =

protocol.     =20
Recommendation:               =20




Enforce the use of 128-bit SSL keys. This may not be possible in all =
situations because keys distributed by some vendors use 40 bits. This =
includes certificates from organizations such as Verisign. When =
configuring communications using SSL, use the highest key strength =
possible.       =20


Common Vulnerabilities & Exposures (CVE) Link:=20
None  =20

***************************************************end of =
report******************************************


thanks=20


Abhishek



-----Original Message-----


From: oracle-l-bounce_at_freelists.org


[mailto:oracle-l-bounce_at_freelists.org]On Behalf Of Edgar Chupit
Sent: Wednesday, June 30, 2004 12:26 PM


To: Abhishek Saxena


Subject: Re: Security Issue with Oracle 9i R2 Databse




Hello Abhishek,



AS> 1. Due to some Security concern



what is this concern? can you, please, be more specific.



AS> how can i diable Jserver Option in Oracle Database 9i R2 ...



Please see Note:209870.1 titled "How to Reload the JVM in 9.2.0.X".



For other security related problems, you may wish to wish to visit
Pete Finnigan's site http://www.petefinnigan.com/ it is full of
different security related information.




--=20


Best regards,


 Edgar





Please see the official ORACLE-L FAQ: http://www.orafaq.com




To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.

--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.
--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------


Received on Wed Jun 30 2004 - 02:56:54 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US