15 Jul 2026 11:10:41 Anushka sur <[email protected]>:

We have identified a VAPT issue in our Oracle APEX application deployed on
ORDS 24.1.11 running on Apache Tomcat 9.0.11.

That is horribly out of date. You might want to check the list of published CVEs for 9.0.x

Observed behavior:
When the application URL host is replaced with another value, the
application redirects using that modified host instead of keeping the
redirect restricted to the approved domain. For example, if the original
host is replaced, the response follows the changed host value.

For example, when the application is accessed using sdcoradb5.com:8083, and the host value is replaced with bing.com, the application redirects using
the modified host value instead of the approved application domain.

This indicates that the request host may be getting trusted in the Tomcat layer, which can lead to a host header injection or unvalidated redirect
issue.

Oracle support has advised that this needs to be checked at the Tomcat
layer, so we are requesting your help to review the configuration and
identify the root cause.

Expected behavior:

The application should only redirect to the approved application domain and
should ignore or reject unexpected host values.


Please investigate and suggest the required configuration or remediation
steps.

I'm unconvinced this is an issue. All it allows is a user to construct (and they'll have to go to some effort to do so) a request that redirects a host of the user's choosing. I'm not seeing a security issue since the user could just send their request directly to that other host.

This isn't something a malicious user can trick a victim into unless the victim is running software with other vulnerabilities that expose them to this attack.

If you really want to block this, update your virtual host configuration.

Set up one virtual host for the correct host name(s) and deploy your application to that host.

Set up the default host with a ROOT that returns a 4xx response to all requests.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to