DoS Bug Found in Oracle9i App Server

Security consultants @stake has discovered a vulnerability in the Oracle9i Application Server that could lead to Denial of Service (DoS) scenarios.


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted October 29, 2002

Ryan Naraine

Ryan Naraine

Security consultants @stake has detected a potential vulnerability in the Oracle9i Application Server that could lead to Denial of Service (DoS) scenarios.

In a security alert, @stake said the potential bug was discovered in the Oracle9iAS Web Cache admin module running on Windows. It said two different denial of service situations could be triggered by issuing a HTTP GET request containing at least one dot-dot-slash contained in the URI.

A second denial of service is triggered by issuing a malformed GET request, @stake said, warning that both scenarios would create an exception and the service will fail.

Oracle Web Cache is part of the company's Application Server suite. It is designed to be implemented in front of the Oracle Web server and act as a caching reverse proxy server.

Oracle confirmed the potential security risk in a bulletin and urged users to "use firewall techniques to restrict access to the Web Cache administration port."

Customers were also encouraged to use the "Secure Subnets" feature of the Web Cache Manager tool to provide access only to administrators connecting from a list of permitted IP addresses or subnets.

"The potential security vulnerability is being tracked internally at Oracle and will be fixed by default in the 9.0.4 release of Oracle9i Application Server," the company said.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.