| VID |
22167 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The oracle9iAS application server still is configured with SOAP component enabled by default.
The oracle9iAS application server supports the SOAP(Simple Access Protocol), a simple and lightweight protocol for exchanging information between peers in a decentralized, distributed environment using XML, for Web administration of database services. If the version 1.0.2.2 of oracle9iAS is installed by "typical", it is configured with two SOAP services: urn:soap-service-manager and urn:soap-provider-manager enabled as well as SOAP components enabled by default. It allows web user to deploy and undeploy other SOAP services and provider remotely. But, it's possible for anonymous users to access without valid credentials. In addition, the SOAP configuration has a built-in Java provider that allows anonymous users to deploy Java classes as SOAP services. The default SOAP configuration will allow anonymous who has access to the default SOAP URL /soap/servlet/soaprouter to deploy Java classes that are already available to the servlet, as SOAP services. As the result, using this vulnerability, a remote attacker can deploy SOAP services and execute Java code without authentication on the remote server. It's more risky if the default SOAP URL is available from outside the firewall. But, the addition of SOAP services with custom Java classes isn't possible without write access to the file system.
* Platforms Affected :
Oracle9iAS application server 1.0.2.2
* References:
http://online.securityfocus.com/bid/4289
http://technet.oracle.com/deploy/security/pdf/ias_soap_alert.pdf |
| Recommendation |
Disable the SOAP, if it's not used :
1. Open the [oracle home directory]/Apache/Jserv/etc/jserv.conf file.
2. Delete or Comment the following four lines:
ApJServGroup group2 1 1 $ORACLE_HOME/Apache/Jserv/etc/jservSoap.properties
ApJServMount /soap/servlet ajpv12://localhost:8200/soap
ApJServMount /dms2 ajpv12://localhost:8200/soap
ApJServGroupMount /soap/servlet balance://group2/soap
where $ORACLE_HOME is a oracle home directory and the port 8200 can be changed.
-- OR --
Disable the deploy/undeploy feature of the SOAP :
1. Open the [oracle home directory]/soap/werbapps/soap/WEB-INF/config/soapConfig.xml file.
2. Add or change the following line to this file.
<osc:option name="autoDeploy" value="false" /> |
| Related URL |
CVE-2001-1371 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
