[bits] [NEWS] CERT advisory: Multiple vulnerabilities in Oracle Servers(fwd)

jay Mon, 18 Mar 2002 00:35:45 -0800

ouch.

=jay



  CERT advisory: Multiple vulnerabilities in Oracle Servers
------------------------------------------------------------------------


SUMMARY

Multiple  vulnerabilities  in  Oracle Application Server have recently
been  discovered.  These  vulnerabilities  include  buffer  overflows,
insecure  default  settings,  failures to enforce access controls, and
failure  to  validate  input.  The  impacts  of  these vulnerabilities
include  the  execution  of  arbitrary  commands  or  code,  denial of
service, and unauthorized access to sensitive information.

DETAILS

Vulnerable systems:
Systems running Oracle8i Database
Systems running Oracle9i Database
Systems running Oracle9i Application Server


Oracle  Application  Server  includes a web server based on the Apache
HTTP  Server. Oracle extends the web server with a number of different
components that can be used provide interfaces  to database applications.
These components include, but are not limited to, a Procedural
Language/Structured Query Language (PL/SQL) module, Java Server  Pages,
XSQL Servlets, and Simple Object Access Protocol (SOAP) applications.

The vulnerabilities referenced in this advisory were reported in several
publications by David Litchfield of NGSSoftware:

* Hackproofing Oracle Application Server
 <http://www.nextgenss.com/papers/hpoas.pdf>
http://www.nextgenss.com/papers/hpoas.pdf

* NGSSoftware Insight Security Research Advisory #NISR20122001
 <http://www.nextgenss.com/advisories/plsql.txt>
http://www.nextgenss.com/advisories/plsql.txt

* NGSSoftware Insight Security Research Advisory #NISR06022002A
 <http://www.nextgenss.com/advisories/oraplsextproc.txt>
http://www.nextgenss.com/advisories/oraplsextproc.txt

* NGSSOftware Insight Security Research Advisory #NISR06022002B
 <http://www.nextgenss.com/advisories/oraplsbos.txt>
http://www.nextgenss.com/advisories/oraplsbos.txt

* NGSSoftware Insight Security Research Advisory #NISR06022002C
 <http://www.nextgenss.com/advisories/orajsa.txt>
http://www.nextgenss.com/advisories/orajsa.txt
 <http://www.nextgenss.com/advisories/orajsp.txt>
http://www.nextgenss.com/advisories/orajsp.txt

For  the  complete list of Oracle-related vulnerabilities published by the
CERT/CC, please search the Vulnerability Notes Database using the term
'Oracle'.  Details  about specific vulnerabilies can be found in the
appropriate vulnerability note.

Oracle has addressed these vulnerabilities with patches and recommended
configuration changes. For more information please see the vendor
information section.

Buffer overflows

Several  buffer-overflow  vulnerabilities  exist in the way the PL/SQL
module  handles  HTTP  requests  and configuration parameters. Default
configuration  settings  in  a  range  of components are insecure, and
different  components  fail  to  apply  access restrictions uniformly.
These   vulnerabilities   expose   both  the  systems  running  Oracle
Application   Server  and  the  information  held  in  the  underlying
databases to undue risk.

Two  more buffer overflow vulnerabilities exist in code that processes
configuration  parameters.  These  parameters  processes configuration
parameters   that   can  be  specified  via  the  PL/SQL  gateway  web
administration interface. By default, access to the PL/SQL gateway web
administration interface is not restricted [VU#611776].

VU#500203   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via help page request

VU#313280   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via HTTP Location header

VU#750299   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via HTTP request

VU#878603   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via HTTP Authorization header

VU#659043   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via Database Access Descriptor password

VU#923395   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via cache directory name

Insecure default configurations

The  default  installation  of  Oracle  Application  Server includes a
number  of insecure configuration settings, such as well-known default
passwords  and  unrestricted  access  to  applications  and  sensitive
information.

VU#307835  -  Oracle9i  Application  Server OWA_UTIL procedures expose
sensitive information

VU#736923  -  Oracle  9iAS  SOAP  components  allow anonymous users to
deploy applications by default

VU#611776   -   Oracle9i   Application   Server   PL/SQL  Gateway  web
administration interface uses null authentication by default

VU#698467  -  Oracle  9iAS  default  configuration  allows  access  to
"globals.jsa" file

VU#476619  -  Oracle 9iAS default configuration allows arbitrary users to
view sensitive configuration files

VU#712723  - Oracle 9iAS default configuration uses well-known default
passwords

VU#168795  -  Oracle  9iAS  allows  anonymous  remote  users  to  view
sensitive Apache services by default

VU#278971  -  Oracle  9i Application Server does not adequately handle
requests  for nonexistent JSP files thereby disclosing web folder path
information

Failure to enforce access controls

Oracle   Application   Server   does   not  uniformly  enforce  access
restrictions.   Different   components   do   not   adequately   check
authorization before granting access to protected resources.

VU#180147  -  Oracle  9i  Database  Server PL/SQL module allows remote
command execution without authentication

VU#193523 - Oracle 9i Application Server allows unauthenticated access to
PL/SQL applications via alternate Database Access Descriptor

VU#977251 - Oracle 9iAS XSQL Servlet ignores file permissions allowing
arbitrary users to view sensitive configuration files

VU#547459  -  Oracle  9iAS creates temporary files when processing JSP
requests that are world-readable

Failure to validate input

In  one  case,  the PL/SQL module does not properly handle a malformed
HTTP request.

VU#805915  - Oracle9i Application Server Apache PL/SQL module does not
properly handle HTTP Authorization header

Impact

The  impacts  of these vulnerabilities include the remote execution of
arbitrary   code,  remote  execution  of  commands  and  SQL  queries,
disclosure of sensitive information, and denial of service.

Remote execution of arbitrary commands and code

This section contains vulnerabilities that permit a remote intruder to
cause  a  denial  of  service  or execute arbitrary commands, code, or
queries on the system.

Some  of  these vulnerabilities allow execution with the privileges of the
Apache process. On UNIX systems, the Apache process typically runs as the
"oracle" user. On Windows systems, the Apache service typically runs  as
the  SYSTEM user; therefore, an attacker could gain complete control of
the system by exploiting these vulnerabilities.

VU#500203   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via help page request

VU#313280   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via help page request Location: header

VU#750299   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via HTTP request

VU#878603   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable  to  buffer overflow via HTTP Authorization header password
parameter

VU#659043   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via Database Access Descriptor password

VU#923395   -   Oracle9i   Application  Server  Apache  PL/SQL  module
vulnerable to buffer overflow via cache directory name

VU#180147  -  Oracle  9i  Database  Server PL/SQL module allows remote
command execution without authentication

VU#736923  -  Oracle  9iAS  SOAP  components  allow anonymous users to
deploy applications by default

VU#712723  - Oracle 9iAS default configuration uses well-known default
passwords

VU#611776   -   Oracle9i   Application   Server   PL/SQL  Gateway  web
administration interface uses null authentication by default

Unauthorized access to sensitive information

A  number  of  vulnerabilities  disclose  configuration information or
expose   data   stored   in   underlying   databases.  Also,  insecure
applications  could  allow  an intruder to execute SQL queries. Oracle
system  programmers  may  wish  to  examine  these  vulnerabilities in
Oracle's  sample pages to prevent similar vulnerabilities in their own
Oracle applications.

VU#307835  -  Oracle9i  Application Server OWA_UTIL PL/SQL application
exposes procedures that are remotely accessible by arbitrary users

VU#193523 - Oracle 9i Application Server allows unauthenticated access to
PL/SQL applications via alternate Database Access Descriptor

VU#698467  -  Oracle  9iAS  default  configuration  allows  access  to
"globals.jsa" file

VU#476619  -  Oracle 9iAS default configuration allows arbitrary users to
view sensitive configuration files

VU#977251 - Oracle 9iAS XSQL Servlet ignores file permissions allowing
arbitrary users to view sensitive configuration files

VU#168795  -  Oracle  9iAS  allows  anonymous  remote  users  to  view
sensitive Apache services by default

VU#278971  -  Oracle  9i Application Server does not adequately handle
requests  for nonexistent JSP files thereby disclosing web folder path
information

VU#547459  -  Oracle  9iAS creates temporary files when processing JSP
requests that are world-readable

Denial of service

In  the  case where the PL/SQL module does not properly handle an HTTP
request,   a   denial-of-service   vulnerability   exists.   Also,  an
unsuccessful  attempt to exploit a buffer overflow vulnerability could
crash the Apache service.

VU#805915  - Oracle9i Application Server Apache PL/SQL module does not
properly handle HTTP Authorization header

Solution

Oracle has provided patches and workarounds that address most of these
vulnerabilities.  Sites using Oracle Application Server are encouraged to
 install   the   appropriate  patches  and  make  the  recommended
configuration changes provided by Oracle.

Solutions and workarounds for specific vulnerabilities can be found in
individual  vulnerability  notes  and in the following Oracle security
alerts:

* Oracle Security Alert #29
 <http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf>
http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf

* Oracle Security Alert #28
 <http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf>
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf

* Oracle Security Alert #25
 <http://otn.oracle.com/deploy/security/pdf/modplsql.pdf>
http://otn.oracle.com/deploy/security/pdf/modplsql.pdf

* Oracle Security Alert #22
 <http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf>
http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf

Security  and  patch  information for Oracle products are available at the
following locations:

* Oracle Security Alerts
 <http://otn.oracle.com/deploy/security/alerts.htm>
http://otn.oracle.com/deploy/security/alerts.htm

* MetaLink (registration required)
 <http://metalink.oracle.com/> http://metalink.oracle.com/

Sites using Oracle Application Server may also find David Litchfield's
Hackproofing  Oracle Application Server paper useful in describing the
impacts and various interactions of these vulnerabilities.

Apply a patch

Oracle   has   released   patches   that   address   some   of   these
vulnerabilities.  Patch  information  can  be found in Oracle Security
Alert  #28  and Oracle Security Alert #25 and on the MetaLink web site
(registration required).

Secure default configuration

Oracle  has  provided  documentation  on  changing  vulnerable default
configuration  settings. For details, consult individual Vulnerability
Notes and the Oracle Security Alerts referenced in the additional
information section.



ADDITIONAL INFORMATION

The  CERT  Coordination  Center thanks David Litchfield and Oracle for
information used in this document.

Authors: Art Manion, Jason Rafail, and Shawn Van Ittersum

References

1.  <http://www.kb.cert.org/vuls/id/500203>
http://www.kb.cert.org/vuls/id/500203
2.  <http://www.kb.cert.org/vuls/id/313280>
http://www.kb.cert.org/vuls/id/313280
3.  <http://www.kb.cert.org/vuls/id/750299>
http://www.kb.cert.org/vuls/id/750299
4.  <http://www.kb.cert.org/vuls/id/878603>
http://www.kb.cert.org/vuls/id/878603
5.  <http://www.kb.cert.org/vuls/id/659043>
http://www.kb.cert.org/vuls/id/659043
6.  <http://www.kb.cert.org/vuls/id/923395>
http://www.kb.cert.org/vuls/id/923395
7.  <http://www.kb.cert.org/vuls/id/307835>
http://www.kb.cert.org/vuls/id/307835
8.  <http://www.kb.cert.org/vuls/id/736923>
http://www.kb.cert.org/vuls/id/736923
9.  <http://www.kb.cert.org/vuls/id/611776>
http://www.kb.cert.org/vuls/id/611776
10.  <http://www.kb.cert.org/vuls/id/698467>
http://www.kb.cert.org/vuls/id/698467
11.  <http://www.kb.cert.org/vuls/id/476619>
http://www.kb.cert.org/vuls/id/476619
12.  <http://www.kb.cert.org/vuls/id/712723>
http://www.kb.cert.org/vuls/id/712723
13.  <http://www.kb.cert.org/vuls/id/168795>
http://www.kb.cert.org/vuls/id/168795
14.  <http://www.kb.cert.org/vuls/id/278971>
http://www.kb.cert.org/vuls/id/278971
15.  <http://www.kb.cert.org/vuls/id/180147>
http://www.kb.cert.org/vuls/id/180147
16.  <http://www.kb.cert.org/vuls/id/193523>
http://www.kb.cert.org/vuls/id/193523
17.  <http://www.kb.cert.org/vuls/id/977251>
http://www.kb.cert.org/vuls/id/977251
18.  <http://www.kb.cert.org/vuls/id/805915>
http://www.kb.cert.org/vuls/id/805915
19.  <http://www.kb.cert.org/vuls/id/547459>
http://www.kb.cert.org/vuls/id/547459
20.  <http://www.nextgenss.com/papers/hpoas.pdf>
http://www.nextgenss.com/papers/hpoas.pdf
21.  <http://www.nextgenss.com/advisories/plsql.txt>
http://www.nextgenss.com/advisories/plsql.txt
22.  <http://www.nextgenss.com/advisories/oraplsextproc.txt>
http://www.nextgenss.com/advisories/oraplsextproc.txt
23.  <http://www.nextgenss.com/advisories/oraplsbos.txt>
http://www.nextgenss.com/advisories/oraplsbos.txt
24.  <http://www.nextgenss.com/advisories/orajsa.txt>
http://www.nextgenss.com/advisories/orajsa.txt
25.  <http://www.nextgenss.com/advisories/orajsp.txt>
http://www.nextgenss.com/advisories/orajsp.txt
26.  <http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf>
http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf
27.  <http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf>
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
28.  <http://otn.oracle.com/deploy/security/pdf/modplsql.pdf>
http://otn.oracle.com/deploy/security/pdf/modplsql.pdf
29.  <http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf>
http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: 
[EMAIL PROTECTED]
In order to subscribe to the mailing list, simply forward this email to: 
[EMAIL PROTECTED]


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, 
incidental, consequential, loss of business profits or special damages.





_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits

[bits] [NEWS] CERT advisory: Multiple vulnerabilities in Oracle Servers(fwd)

Reply via email to