Oracle9iAS Web Cache Denial of Service (a102802-1)

From: @stake advisories (@stake)
Date: Mon Oct 28 2002 - 11:05:57 PST

Next message: Fredrik Björk: "Re: IBM Infoprint Remote Management Simple DoS"

Previous message: Alexander Komlin: "Substitution of document signed under new American format ECDSA."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                               @stake, Inc.
                             www.atstake.com

                            Security Advisory


Advisory Name: Oracle9iAS Web Cache Denial of Service
 Release Date: 10-28-2002
  Application: Oracle9iAS Web Cache 9.0.2.0.0
     Platform: Windows NT/2000/XP
     Severity: Remote anonymous DoS
       Author: Andreas Junestam (andreasat_private)
Vendor Status: Oracle has released a bulletin
CVE Candidate: CAN-2002-0386 
    Reference: www.atstake.com/research/advisories/2002/a102802-1.txt


Overview:

Oracle Web Cache is a part of the Oracle Application Server suite. The
Web Cache server is designed to be implemented in front of the Oracle
Web server and act as a caching reverse proxy server.

There exists two different denial of service scenarios, which will cause
the Web Cache service to fail. The denial of service conditions can be
exploited by simple HTTP requests to the Web Cache service.


Detailed Description:

There exists two different denial of service situations in Oracle Web
Cache 9.0.2.0.0. The first one is triggered by issuing a HTTP GET
request containing at least one dot-dot-slash contained in the URI:

GET /../ HTTP/1.0
Host: whatever
[CRLF]
[CRLF]

The second denial of service is triggered by issuing an malformed GET
request:

GET / HTTP/1.0
Host: whatever
Transfer-Encoding: chunked
[CRLF]
[CRLF]

Both will create an exception and the service will fail.


Vendor Response:

Vendor was first contacted by @stake: 08-28-2002.
Vendor released a bulletin: 10-04-2002

Oracle has released a bulletin describing a solution to this issue.


Recommendation:

Follow the vendor's instructions detailed in the security bulletin for
this issue. 

- - From the Oracle bulletin:

  Customers should follow best security practices for protecting the
  administration process from unauthorized users and requests. As such,
  Oracle strongly encourages customers to take both of the following
  protective measures:
  1. Use firewall techniques to restrict access to the Web Cache
     administration port.
  2. Use the “Secure Subnets” feature of the Web Cache Manager tool to
     provide access only to administrators connecting from a list of
     permitted IP addresses or subnets.
  The potential security vulnerability is being tracked internally at
  Oracle and will be fixed by default in the 9.0.4 release of Oracle9i
  Application Server.

  For more information, see:
  http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdf


Common Vulnerabilities and Exposures (CVE) Information:

CAN-2002-0386 Oracle9iAS Web Cache Denial of Service


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2002 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPb2J9Ee9kNIfAm4yEQLSFQCg7dL0gNKF5XxKlGK6KMXPKqd8ngEAnj1Q
nqWXYFAipK5RbSYzYmRAgoP+
=5sSn
-----END PGP SIGNATURE-----

Next message: Fredrik Björk: "Re: IBM Infoprint Remote Management Simple DoS"
Previous message: Alexander Komlin: "Substitution of document signed under new American format ECDSA."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 28 2002 - 12:11:42 PST