From advisories@atstake.com Sat Nov 9 09:16:17 2002 From: "@stake advisories" To: vulnwatch@vulnwatch.org Date: Mon, 28 Oct 2002 13:30:54 -0500 Subject: [VulnWatch] Oracle9iAS Web Cache Denial of Service (a102802-1) [ The following text is in the "Windows-1252" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Oracle9iAS Web Cache Denial of Service Release Date: 10-28-2002 Application: Oracle9iAS Web Cache 9.0.2.0.0 Platform: Windows NT/2000/XP Severity: Remote anonymous DoS Author: Andreas Junestam (andreas@atstake.com) Vendor Status: Oracle has released a bulletin CVE Candidate: CAN-2002-0386 Reference: www.atstake.com/research/advisories/2002/a102802-1.txt Overview: Oracle Web Cache is a part of the Oracle Application Server suite. The Web Cache server is designed to be implemented in front of the Oracle Web server and act as a caching reverse proxy server. There exists two different denial of service scenarios, which will cause the Web Cache service to fail. The denial of service conditions can be exploited by simple HTTP requests to the Web Cache service. Detailed Description: There exists two different denial of service situations in Oracle Web Cache 9.0.2.0.0. The first one is triggered by issuing a HTTP GET request containing at least one dot-dot-slash contained in the URI: GET /../ HTTP/1.0 Host: whatever [CRLF] [CRLF] The second denial of service is triggered by issuing an malformed GET request: GET / HTTP/1.0 Host: whatever Transfer-Encoding: chunked [CRLF] [CRLF] Both will create an exception and the service will fail. Vendor Response: Vendor was first contacted by @stake: 08-28-2002. Vendor released a bulletin: 10-04-2002 Oracle has released a bulletin describing a solution to this issue. Recommendation: Follow the vendor's instructions detailed in the security bulletin for this issue. - From the Oracle bulletin: Customers should follow best security practices for protecting the administration process from unauthorized users and requests. As such, Oracle strongly encourages customers to take both of the following protective measures: 1. Use firewall techniques to restrict access to the Web Cache administration port. 2. Use the ^ÓSecure Subnets^Ô feature of the Web Cache Manager tool to provide access only to administrators connecting from a list of permitted IP addresses or subnets. The potential security vulnerability is being tracked internally at Oracle and will be fixed by default in the 9.0.4 release of Oracle9i Application Server. For more information, see: http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdf Common Vulnerabilities and Exposures (CVE) Information: CAN-2002-0386 Oracle9iAS Web Cache Denial of Service @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2002 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.3 iQA/AwUBPb2BRUe9kNIfAm4yEQIGYgCgymkfPYDKO4LKX6rIl97tjNrLrT0An3ez nfi5+qDCaLTEDyBItkXWvU6X =Y7i1 -----END PGP SIGNATURE-----