__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ ADVISORY NOTICE Oracle 9iAS Default Configuration Vulnerability [NGSSoftware Insight Security Research Advisory #NISR06022002C] February 27, 2002 20:00 GMT Number M-048 ______________________________________________________________________________ PROBLEM: A vulnerability in the Oracle Database Server version 9iAS configuration could allow remote users to view the "globals.jas" file. PLATFORM: Oracle 9iAS DAMAGE: If exploited, an attacker could obtain information which may contain Oracle usernames and passwords. SOLUTION: Apply workarounds listed. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. An attacker could obtain usernames and ASSESSMENT: passwords that can then be used to access the system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-048.shtml ORIGINAL BULLETIN: http://www.nextgenss.com/advisories/orajsp.txt ______________________________________________________________________________ [***** Start NGSSoftware Advisory #NISR06022002C *****] NGSSoftware Insight Security Research Advisory Name: OracleJSP Systems Affected: Oracle 9iAS Platforms: All Operating Systems Severity: Medium/High Risk Vendor URL: http://www.oracle.com/ Author: David Litchfield (david@nextgenss.com) Date: 6th February 2002 Advisory number: #NISR06022002C Advisory URL: http://www.nextgenss.com/advisories/orajsp.txt Description *********** The web service with Oracle 9iAS is powered by Apache and provides many application environments with which to offer services from the site. These include SOAP, PL/SQL, XSQL and JSP. An security issue exists in the OracleJSP environment where an attacker can get access to the source code of the of the translated JSP page. There is a second issue relates to an attacker gaining access to the globals.jsa contents. Details ******* When a user requests a JSP page from a server running OracleJSP the JSP page is translated, compiled and executed with the results being returned to the requesting client. During this process three intermediary files are created. Assuming the JSP page is named "foo.jsp" _foo$__jsp_StaticText.class _foo.class _foo.java these are stored in the /_pages directory. If foo.jsp existed in a subdirectory named "bar", i.e. /bar/foo.jsp, a "_bar" directory would be created under the "_pages" directory and the three files placed here. For more details on exact naming conventions please read http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90208/trandepl.htm The problem arises due to the fact that translated .java file contains the clear text source code and these can be accessed directly. As this will often contain sensitive information such as a database UserID and password and business logic this is considered as a security risk. Further to this if the JSP application is using a globals.jsa file for setting application wide settings an attacker may access this directly and gain access to the contents. This poses the same threat: as the globals.jsa can contain sensitive information it must be protected. Fix Information *************** To address these problems edit the httpd.conf file found in the $ORACLE_HOME$/apache/apache/conf directory. To prevent access to the globals.jsa file add the following entry: Order allow,deny Deny from all To prevent access to the .java pages add the following entry: Order deny,allow Deny from all Note that if the JSP pages are stored in a aliased directory (i.e. not a subdirectory of "htdocs") then it is necessary to add an entry of Order deny,allow Deny from all when "dirname" is the name of the aliased directory. Oracle were informed of these issues on the 17th of December. [***** End NGSSoftware Advisory #NISR06022002C *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of NGSSoftware for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability M-039: Microsoft Telnet Server Buffer Overflow Vulnerability M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions M-041: Microsoft Internet Explorer Cumulative Patch M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers M-046: Red Hat "ncurses" Vulnerability M-047: Oracle PL/SQL EXTPROC Database Vulnerability