| VID |
22254 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Oracle9iAS Web Cache, according to its version number, has multiple high risk vulnerabilities.
Oracle has reported multiple unspecified vulnerabilities in Oracle Application Server Web Cache 10g (9.0.4.0.0) and Oracle9i Application Server Web Cache.
A remote attacker could exploit these vulnerabilities if the Web Cache is running and configured to listen on the Oracle Application Server Web Cache listener port for any client request, regardless of the type of origin Web server (for example, Oracle HTTP Server, Apache or other web servers). Otherwise the client request is sent directly to the origin Web server, bypassing Web Cache, these vulnerabilities cannot be exploited.
* Note: This check solely relied on the version number of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf
http://www.kb.cert.org/vuls/id/643985
http://www.inaccessnetworks.com/ian/services/secadv01.txt
http://www.securityfocus.com/archive/1/359853
* Platforms Affected:
Oracle Application Server Web Cache 10g (9.0.4.0.0)
Oracle Oracle9iAS Web Cache 9.0.3.1.0
Oracle Oracle9iAS Web Cache 9.0.2.3.0
Oracle Oracle9iAS Web Cache 2.0.0.4.0
HP Compaq Tru64 UNIX Any version
HP-UX Any version
IBM AIX Any version
Sun Solaris Any version
Microsoft Windows Any version
Linux Any version
Oracle AS Web Cache 10g (9.0.4.0.0) on Windows, Tru64 and AIX is not vulnerable |
| Recommendation |
Apply the appropriate patch for your system.
Oracle Application Server Web Cache 10g (9.0.4.0) already includes fixes for Windows, Tru64 and AIX (release pending). Other platforms for this release are still vulnerable. Users should upgrade to this release if they are using one of the platforms that includes fixes. Other fixes for this release are pending.
Oracle has released a Patch Availability Matrix which details available and pending fixes for various platforms and releases. Further details may be found in Oracle Security Alert #66 at http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf |
| Related URL |
CVE-2004-0385 (CVE) |
| Related URL |
9868 (SecurityFocus) |
| Related URL |
15463 (ISS) |
|
