Vulnerability Note VU#168795

Oracle 9iAS allows anonymous remote users to view sensitive Apache services by default

Original Release date: 12 Mar 2002 | Last revised: 09 Apr 2003

Overview

Oracle Application Server 9iAS allows remote users to access several Apache services without authentication.

Description

Oracle Application Server 9iAS includes the Apache Web server and several Apache services. In the default install configuration, many of these services, including Dynamic Monitoring Services, can be accessed remotely by anonymous users.

Impact

Dynamic Monitoring Services may be used without authentication by attackers to monitor the internal workings of the Oracle server.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

The following workaround was suggested by David Litchfield and has not been tested by CERT/CC.

Edit the "httpd.conf" file to limit access to the following pages:

http://oracleserver/dms0 http://oracleserver/dms/DMSDump http://oracleserver/servlet/DMSDump http://oracleserver/servlet/Spy http://oracleserver/soap/servlet/Spy http://oracleserver/dms/AggreSpy http://oracleserver/oprocmgr-status http://oracleserver/oprocmgr-service

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected08 Feb 200226 Feb 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to David Litchfield for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

  • CVE IDs: CAN-2002-0563
  • Date Public: 10 Jan 2002
  • Date First Published: 12 Mar 2002
  • Date Last Updated: 09 Apr 2003
  • Severity Metric: 11.25
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.