OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: _at_stake advisories (_at_stake)
Date: Mon Oct 28 2002 - 12:30:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                   stake, Inc.
                                 www.atstake.com

                                Security Advisory

    Advisory Name: Oracle9iAS Web Cache Denial of Service
     Release Date: 10-28-2002
      Application: Oracle9iAS Web Cache 9.0.2.0.0
         Platform: Windows NT/2000/XP
         Severity: Remote anonymous DoS
           Author: Andreas Junestam (andreasatstake.com)
    Vendor Status: Oracle has released a bulletin
    CVE Candidate: CAN-2002-0386
        Reference: www.atstake.com/research/advisories/2002/a102802-1.txt

    Overview:

    Oracle Web Cache is a part of the Oracle Application Server suite. The
    Web
    Cache server is designed to be implemented in front of the Oracle Web
    server and act as a caching reverse proxy server.

    There exists two different denial of service scenarios, which will cause
    the Web Cache service to fail. The denial of service conditions can be
    exploited by simple HTTP requests to the Web Cache service.

    Detailed Description:

    There exists two different denial of service situations in Oracle Web
    Cache
    9.0.2.0.0. The first one is triggered by issuing a HTTP GET request
    containing at least one dot-dot-slash contained in the URI:

    GET /../ HTTP/1.0
    Host: whatever
    [CRLF]
    [CRLF]

    The second denial of service is triggered by issuing an malformed GET
    request:

    GET / HTTP/1.0
    Host: whatever
    Transfer-Encoding: chunked
    [CRLF]
    [CRLF]

    Both will create an exception and the service will fail.

    Vendor Response:

    Vendor was first contacted by stake: 08-28-2002.
    Vendor released a bulletin: 10-04-2002

    Oracle has released a bulletin describing a solution to this issue.

    Recommendation:

    Follow the vendor's instructions detailed in the security bulletin for
    this issue.

    - From the Oracle bulletin:

      Customers should follow best security practices for protecting the
      administration process from unauthorized users and requests. As such,
      Oracle strongly encourages customers to take both of the following
      protective measures:
      1. Use firewall techniques to restrict access to the Web Cache
         administration port.
      2. Use the “Secure Subnets” feature of the Web Cache Manager tool to
         provide access only to administrators connecting from a list of
         permitted IP addresses or subnets.
      The potential security vulnerability is being tracked internally at
      Oracle and will be fixed by default in the 9.0.4 release of Oracle9i
      Application Server.

      For more information, see:
      http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdf

    Common Vulnerabilities and Exposures (CVE) Information:

    CAN-2002-0386 Oracle9iAS Web Cache Denial of Service

    stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    Copyright 2002 stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.0.3

    iQA/AwUBPb2BRUe9kNIfAm4yEQIGYgCgymkfPYDKO4LKX6rIl97tjNrLrT0An3ez
    nfi5+qDCaLTEDyBItkXWvU6X
    =Y7i1
    -----END PGP SIGNATURE-----