[NT] Oracle9iAS Web Cache Denial of Service

From: support@securiteam.com
Date: 10/31/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 31 Oct 2002 11:30:45 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Oracle9iAS Web Cache Denial of Service
------------------------------------------------------------------------

SUMMARY

Oracle Web Cache is a part of the Oracle Application Server suite. The Web
Cache server is designed to be implemented in front of the Oracle Web
server and act as a caching reverse proxy server.

There exists two different denial of service scenarios, which will cause
the Web Cache service to fail. The denial of service conditions can be
exploited by simple HTTP requests to the Web Cache service.

DETAILS

Vulnerable systems:
 * Oracle9iAS Web Cache version 9.0.2.0.0

Detailed Description:
There exists two different denial of service situations in Oracle Web
Cache 9.0.2.0.0. The first one is triggered by issuing a HTTP GET request
containing at least one dot-dot-slash contained in the URI:

GET /../ HTTP/1.0
Host: whatever
[CRLF]
[CRLF]

The second denial of service is triggered by issuing an malformed GET
request:
GET / HTTP/1.0
Host: whatever
Transfer-Encoding: chunked
[CRLF]
[CRLF]

Both will create an exception and the service will fail.

Vendor Response:
Vendor was first contacted by @stake: 08-28-2002.
Vendor released a bulletin: 10-04-2002

Oracle has released a bulletin describing a solution to this issue.

Recommendation:
Follow the vendor's instructions detailed in the security bulletin for
this issue.

- From the Oracle bulletin:

Customers should follow best security practices for protecting the
administration process from unauthorized users and requests. As such,
Oracle strongly encourages customers to take both of the following
protective measures:

1. Use firewall techniques to restrict access to the Web Cache
administration port.
2. Use the "Secure Subnets" feature of the Web Cache Manager tool to
provide access only to administrators connecting from a list of permitted
IP addresses or subnets. The potential security vulnerability is being
tracked internally at Oracle and will be fixed by default in the 9.0.4
release of Oracle9i Application Server.

For more information, see:
 <http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdf>
http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdf

ADDITIONAL INFORMATION

The original advisory can be found at:
<www.atstake.com/research/advisories/2002/a102802-1.txt>
www.atstake.com/research/advisories/2002/a102802-1.txt

The information has been provided by <mailto:advisories@atstake.com>
@stake advisories.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages