OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Oracle Web Listener for AIX DoS
From: Peter Grundl (prgN-M.COM)
Date: Tue Jul 04 2000 - 05:10:24 CDT


Oracle Web Listener for AIX DoS

Advisory Code: VIGILANTE-2000002

Release Date:
July 4, 2000

Systems Affected:
Oracle_Web_Listener/4.0.7.0.0 for AIX
Oracle_Web_Listener/4.0.8.1.0 for AIX
Possibly other operating systems as well, this has not been tested.

Systems not Affected:
Oracle_Web_Listener/4.0.8.0.0 for Windows NT
Oracle_Web_Listener/4.0.8.1.0 for Windows NT
Oracle_Web_Listener/4.0.8.2.0 for Windows NT
Oracle_Web_Listener/4.0.8.1.0 for Sun

THE PROBLEM
By issuing a malformed URL (variations on "..") it is possible to cause a
Denial of Service situation where the Oracle_Web_Listener will no longer
accept HTTP requests and the service needs to be restarted.

Vendor Status:
Vendor was contacted through e-mail (3 times) and direct phone calls (5
times) from the end of May until today. However, we were told that without a
support contract this incident would receive low priority. We were offered
to purchase a support contract so we could report the vulnerability
correctly. We do not use any Oracle products and fail to grasp why we should
purchase a support contact in order to help Oracle.

Fix:
Older versions are no longer supported since 1st of June 2000, which means
4.0.7.0.0 will never be fixed. The vulnerability still exist in 4.0.8.1.0,
and is unlikely to have been adressed in 4.0.8.2.0.

Vendor URL: http://www.oracle.com
Program URL: http://www.oracle.com/appserver/

Copyright VIGILANTe 2000-07-04

Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.

Feedback:
Please send suggestions, updates, and comments to:

VIGILANTe
mailto: infovigilante.com
http://www.vigilante.com