| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> Oracle9iAS Web Cache Denial of Service (a102802-1)
FYI
----- Forwarded by Jared Still/Radisys_Corporation/US on 11/05/2002 03:12
PM -----
"@stake advisories" <advisories
10/28/2002 11:05 AM
To: <bugtraq_at_securityfocus.com>
cc:
Subject: Oracle9iAS Web Cache Denial of Service (a102802-1)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Oracle9iAS Web Cache Denial of Service
Release Date: 10-28-2002
Application: Oracle9iAS Web Cache 9.0.2.0.0
Platform: Windows NT/2000/XP
Severity: Remote anonymous DoS
Author: Andreas Junestam (andreas_at_atstake.com)
Vendor Status: Oracle has released a bulletin
CVE Candidate: CAN-2002-0386
Reference: www.atstake.com/research/advisories/2002/a102802-1.txt
Overview:
Oracle Web Cache is a part of the Oracle Application Server suite. The Web Cache server is designed to be implemented in front of the Oracle Web server and act as a caching reverse proxy server.
There exists two different denial of service scenarios, which will cause the Web Cache service to fail. The denial of service conditions can be exploited by simple HTTP requests to the Web Cache service.
Detailed Description:
There exists two different denial of service situations in Oracle Web Cache 9.0.2.0.0. The first one is triggered by issuing a HTTP GET request containing at least one dot-dot-slash contained in the URI:
GET /../ HTTP/1.0
Host: whatever
[CRLF]
[CRLF]
The second denial of service is triggered by issuing an malformed GET
request:
GET / HTTP/1.0
Host: whatever
Transfer-Encoding: chunked
[CRLF]
[CRLF]
Both will create an exception and the service will fail.
Vendor Response:
Vendor was first contacted by @stake: 08-28-2002. Vendor released a bulletin: 10-04-2002
Oracle has released a bulletin describing a solution to this issue.
Recommendation:
Follow the vendor's instructions detailed in the security bulletin for this issue.
Customers should follow best security practices for protecting the administration process from unauthorized users and requests. As such, Oracle strongly encourages customers to take both of the following protective measures:
For more information, see:
http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdf
Common Vulnerabilities and Exposures (CVE) Information:
CAN-2002-0386 Oracle9iAS Web Cache Denial of Service
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2002 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPb2J9Ee9kNIfAm4yEQLSFQCg7dL0gNKF5XxKlGK6KMXPKqd8ngEAnj1Q
nqWXYFAipK5RbSYzYmRAgoP+
=5sSn
-----END PGP SIGNATURE-----
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: INET: Jared.Still_at_radisys.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Tue Nov 05 2002 - 17:14:01 CST
 |
 |