search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Oracle Application Server contains format string vulnerability

Vulnerability Note VU#467555

Original Release Date: 2002-06-04 | Last Revised: 2003-06-02


The CERT/CC is aware of a report about a "remotely exploitable format string vulnerability in Oracle Application Server" that could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system.


Oracle Application Server uses the Apache HTTP Server to provide web services, including access to stored procedures via the Oracle PL/SQL module (modpplsql or mod_plsql). The PL/SQL module provides a web-based administration interface to configure Database Access Descriptors (DAD) and cache settings. The CERT/CC is aware of a report of a format string vulnerability in Oracle Application Server. The report implies that the vulnerability exists in the web-based administration interface for the PL/SQL gateway. An attacker may be able to exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable system. Further details about this vulnerability are not presently available, as the reporter (NGSSoftware) has intentionally released limited information in accordance with their disclosure policy. NGSSoftware reports that Oracle9iAS v1.0.2.2 for Windows NT/2000 was tested.


An unauthenticated remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The HTTP server used by Oracle Application Server may run as SYSTEM on Windows NT and Windows 2000 systems.


Apply a Patch

When available, apply the appropriate patch. Oracle typically releases Security Alerts that include patch information.

Restrict Access

The report from NGSSoftware recommends "ensuring that the administration pages for the PL/SQL module have been protected." This implies that the vulnerability lies in the HTML administration interface for the PL/SQL module, which would be similar to a previously announced vulnerability [VU#659043]. In the default configuration, the administration pages are available to anyone who is able to access to the web server [VU#611776].

Access to the PL/SQL gateway administration web pages can be restricted by specifying authorized user names and connect strings or an administrative Database Access Descriptor (DAD) in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/ For more information, read the section titled Using the PL/SQL Gateway in the Oracle iAS documentation for the Oracle HTTP Server powered by Apache.

Disable Unnecessary Services

If this vulnerability is in the PL/SQL HTTP administration interface, it may be possible to disable the HTTP interface and make configuration changes to the PL/SQL module by modifying the configuration file directly.

Disable the PL/SQL service (modplsql or mod_plsql in Apache).

Use Least Privilege

Run Oracle Application Server under a user account with the least privilege possible. Note that this workaround will not prevent exploitation, but may limit the impact of an attack.

Vendor Information


Oracle Corporation Affected

Notified:  May 31, 2002 Updated: June 18, 2002



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


NGSSoftware reports that Oracle9iAS v1.0.2.2 for Windows NT/2000 was tested.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



The CERT/CC thanks David Litchfield of NGSSoftware for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: None
Severity Metric: 6.22
Date Public: 2002-05-27
Date First Published: 2002-06-04
Date Last Updated: 2003-06-02 19:05 UTC
Document Revision: 40

Sponsored by CISA.