Software Engineering Institute

Oracle Application Server uses the Apache HTTP Server to provide web services, including access to stored procedures via the Oracle PL/SQL module (modpplsql or mod_plsql). The PL/SQL module provides a web-based administration interface to configure Database Access Descriptors (DAD) and cache settings. The CERT/CC is aware of a report of a format string vulnerability in Oracle Application Server. The report implies that the vulnerability exists in the web-based administration interface for the PL/SQL gateway. An attacker may be able to exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable system. Further details about this vulnerability are not presently available, as the reporter (NGSSoftware) has intentionally released limited information in accordance with their disclosure policy. NGSSoftware reports that Oracle9iAS v1.0.2.2 for Windows NT/2000 was tested.

An unauthenticated remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The HTTP server used by Oracle Application Server may run as SYSTEM on Windows NT and Windows 2000 systems.

Apply a Patch

When available, apply the appropriate patch. Oracle typically releases Security Alerts that include patch information.

Restrict Access

The report from NGSSoftware recommends "ensuring that the administration pages for the PL/SQL module have been protected." This implies that the vulnerability lies in the HTML administration interface for the PL/SQL module, which would be similar to a previously announced vulnerability [VU#659043]. In the default configuration, the administration pages are available to anyone who is able to access to the web server [VU#611776].

Access to the PL/SQL gateway administration web pages can be restricted by specifying authorized user names and connect strings or an administrative Database Access Descriptor (DAD) in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app. For more information, read the section titled Using the PL/SQL Gateway in the Oracle iAS documentation for the Oracle HTTP Server powered by Apache.

Disable Unnecessary Services

If this vulnerability is in the PL/SQL HTTP administration interface, it may be possible to disable the HTTP interface and make configuration changes to the PL/SQL module by modifying the configuration file directly.

Disable the PL/SQL service (modplsql or mod_plsql in Apache).

Use Least Privilege

Run Oracle Application Server under a user account with the least privilege possible. Note that this workaround will not prevent exploitation, but may limit the impact of an attack.