Oracle Application Server Default Configuration Lets Remote Users Access Sensitive Services
|
|
SecurityTracker Alert ID: 1009167
|
|
CVE Reference: CAN-2002-0563
(Links to External Site)
|
Date: Feb 23 2004
|
Impact: Disclosure of system information, Disclosure of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: NGSSoftware
|
Version(s): 1.0.2.x
|
Description: Some vulnerabilities were reported in the Oracle Application Server. A remote user may be able to access potentially sensitive services.
It is reported that in the default configuration of the Oracle Application Server 9iAS, a number of services (including Dynamic Monitoring
Services) are made accessible to remote users. A remote user can reportedly access the Dynamic Monitoring Services to monitor system
information.
|
Impact: A remote user can access services to obtain potentially sensitive information.
|
Solution: The vendor has reportedly issued a fix, as described in Oracle Security Alert #28, available at:
http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf
|
Vendor URL: otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
Reported By: "David Litchfield" <david@nextgenss.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 6 Feb 2002 06:43:59 -0000
From: "David Litchfield" <david@nextgenss.com>
Subject: Hackproofing Oracle Application Server paper
|
Howdy,
I've written a white-paper, "Hackproofing Oracle Application Server." It
covers vulnerable areas and what must done to secure the box. Anyone
interested may get a copy from http://www.nextgenss.com/papers/hpoas.pdf .
Cheers,
David Litchfield
http://www.nextgenss.com/
|
|
