Summary
In a default installation of Oracle 9iAS v.1.0.2.2, it is possible to deploy or undeploy SOAP services without the need of any kind of credentials.
This is due to SOAP being enabled by default after installation in order to provide a convenient way to use SOAP samples. However, this feature poses a threat to HTTP servers with public access since remote attackers can create soap services and then invoke them remotely. Since SOAP services can contain arbitrary Java code in Oracle 9iAS this means that an attacker can execute arbitray code in the remote server.
Solution
Disable SOAP or the deploy/undeploy feature by editing $ORACLE_HOME/Apache/Jserver/etc/jserv.conf and removing/commenting the following four lines:
ApJServGroup group2 1 1 $ORACLE_HOME/Apache/Jserv/etc/jservSoap.properties ApJServMount /soap/servlet ajpv12://localhost:8200/soap ApJServMount /dms2 ajpv12://localhost:8200/soap
ApJServGroupMount /soap/servlet balance://group2/soap
Note that the port number might be different from 8200.
Also, you will need to change in the file
$ORACLE_HOME/soap/werbapps/soap/WEB-INF/config/soapConfig.xml:
<osc:option name='autoDeploy' value='true' />
to
<osc:option name='autoDeploy' value='false' />
More information:
http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf http://www.cert.org/advisories/CA-2002-08.html
http://www.kb.cert.org/vuls/id/476619
Also read:
Hackproofing Oracle Application Server from NGSSoftware:
available at http://www.nextgenss.com/papers/hpoas.pdf
Severity
Classification
-
CVE CVE-2001-1371 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities