Vulnerability Note VU#511194

Oracle9i Application Server MOD_ORADAV Module vulnerable to DoS

Overview

A remotely exploitable denial-of-service vulnerability exists in the Oracle9i Application Server MOD_ORADAV Module.

I. Description

Oracle has described this vulnerability as follows:

A potential security vulnerability has been discovered in Oracle9i Application Server. A knowledgeable and malicious user can exploit exposed URLs: 1) http://host:port/dav_public, and 2) http://host:port/dav_portal, and compromise the MOD_ORADAV module that may result in a remote Denial of Service (DoS).

II. Impact

A remote attacker may be able to cause a denial-of-service against the Application Server.

III. Solution

Oracle has published Oracle Security Alert #52 regarding this issue. Patches do not yet exist for all platforms. Please refer to Oracle Security Alert #52 for a detailed patch matrix.

Workarounds

Until a patch can be applied, the CERT/CC recommends that vulnerable sites

disable unnecessary Oracle services
run Oracle services with the least privilege
restrict network access to Oracle services

Systems Affected

Vendor	Status	Date Updated
Oracle Corporation	Vulnerable	18-Feb-2003

References

http://www.nextgenss.com/advisories/ora-appservfmtst.txt
http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf

Credit

This vulnerability was discovered by David Litchfield and Mark Litchfield of Next Generation Security Software Ltd. The CERT/CC thanks both Next Generation Security Software Ltd and Oracle for providing information upon which this document is based.

This document was written by Ian A Finlay.

Other Information

Date Public	02/11/2003
Date First Published	02/18/2003 01:33:59 PM
Date Last Updated	02/19/2003
CERT Advisory
CVE Name
US-CERT Technical Alerts
Metric	13.50
Document Revision	7

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader