search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Oracle Configurator discloses version and host information via "test" argument passed to servlet

Vulnerability Note VU#158323

Original Release Date: 2002-07-31 | Last Revised: 2002-07-31


A servlet component of Oracle Configurator may post sensitive version and host information to any Web user that makes a crafted request to the server.


Oracle Configurator is an Internet application used to configure Oracle Application and Database Servers.

If a user sends a request to the Oracle Configurator servlet component named "" with CGI variable "test" set to "version", the servlet returns sensitive build and schema information. If a user sends a request with CGI variable "test" set to "host", the servlet returns the hostname and the port on which the Oracle Apache web server is running.


Attackers may learn sensitive information about an Oracle installation, which may aid them in attacking the system.


Apply a patch from your vendor

Refer to Oracle Security Alert #31 for details:

Vendor Information


Oracle Affected

Notified:  April 17, 2002 Updated: June 07, 2002



Vendor Statement

"The vulnerability has been rectified and patches detailed in Oracle Security Alert #31:

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to Oracle for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 9.38
Date Public: 2002-04-01
Date First Published: 2002-07-31
Date Last Updated: 2002-07-31 22:51 UTC
Document Revision: 8

Sponsored by CISA.