Vulnerability Note VU#511194

Oracle9i Application Server MOD_ORADAV Module vulnerable to DoS

Original Release date: 18 Feb 2003 | Last revised: 19 Feb 2003


A remotely exploitable denial-of-service vulnerability exists in the Oracle9i Application Server MOD_ORADAV Module.


Oracle has described this vulnerability as follows:

    A potential security vulnerability has been discovered in Oracle9i Application Server. A knowledgeable and malicious user can exploit exposed URLs: 1) http://host:port/dav_public, and 2) http://host:port/dav_portal, and compromise the MOD_ORADAV module that may result in a remote Denial of Service (DoS).


A remote attacker may be able to cause a denial-of-service against the Application Server.


Oracle has published Oracle Security Alert #52 regarding this issue. Patches do not yet exist for all platforms. Please refer to Oracle Security Alert #52 for a detailed patch matrix.


Until a patch can be applied, the CERT/CC recommends that vulnerable sites

  • disable unnecessary Oracle services
  • run Oracle services with the least privilege
  • restrict network access to Oracle services

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected-18 Feb 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was discovered by David Litchfield and Mark Litchfield of Next Generation Security Software Ltd. The CERT/CC thanks both Next Generation Security Software Ltd and Oracle for providing information upon which this document is based.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: Unknown
  • Date Public: 11 Feb 2003
  • Date First Published: 18 Feb 2003
  • Date Last Updated: 19 Feb 2003
  • Severity Metric: 13.50
  • Document Revision: 7


If you have feedback, comments, or additional information about this vulnerability, please send us email.