| VID |
25033 |
| Severity |
20 |
| Port |
1521, ... |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The Oracle Database Server, according to its version number, is vulnerable to a denial of service related to XML and SOAP.
By default, XML and SOAP (Simple Object Access Protocol) are enabled in the Oracle9i Application Server and if Oracle HTTP Server is installed, these options are enabled by default in the Oracle9i Database Server. By sending a specially-crafted SOAP message with XML containing malicious DTDs (Data Type Definitions), a remote attacker could disable the affected Database Server. This may be exposed if authentication for SOAP is not enabled or if the attacker is able to gain unauthorized access to SOAP services.
* Note: This check solely relied on the version number of the remote Oracle Listener to assess this vulnerability, so this might be a false positive.
* References:
http://otn.oracle.com/deploy/security/pdf/2004alert65.pdf
* Platforms Affected:
Oracle Oracle9i Application Server Release 1 1.0.2.2
Oracle Oracle9i Application Server Release 2 9.0.2.1 and earlier
Oracle Oracle9i Application Server Release 2 9.0.3.0
Oracle Oracle9i Application Server Release 2 9.0.3.1
Oracle Oracle9i Database Server Release 1 9.0.1.4
Oracle Oracle9i Database Server Release 2 9.2.0.2
All Platforms |
| Recommendation |
Upgrade to the latest version of Oracle Database Server Release 2 (9.2.0.3 or later), available from the Oracle MetaLink Web site at http://metalink.oracle.com
-- OR --
Apply the appropriate patch for your system, as listed in Oracle Security Alert #65 at http://otn.oracle.com/deploy/security/pdf/2004alert65.pdf
As a workaround, if SOAP support is not required, it may be disabled by renaming or removing the following library:
[Oracle Home]/soap/lib.soap.jar |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
