__________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                              ADVISORY NOTICE

                 Oracle 9iAS Default Configuration Vulnerability
        [NGSSoftware Insight Security Research Advisory #NISR06022002C]

February 27, 2002 20:00 GMT                                       Number M-048
______________________________________________________________________________
PROBLEM:       A vulnerability in the Oracle Database Server version 9iAS 
               configuration could allow remote users to view the 
               "globals.jas" file. 
PLATFORM:      Oracle 9iAS 
DAMAGE:        If exploited, an attacker could obtain information which may 
               contain Oracle usernames and passwords. 
SOLUTION:      Apply workarounds listed.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. An attacker could obtain usernames and 
ASSESSMENT:    passwords that can then be used to access the system. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/m-048.shtml 
 ORIGINAL BULLETIN:  http://www.nextgenss.com/advisories/orajsp.txt 
______________________________________________________________________________

[***** Start NGSSoftware Advisory #NISR06022002C *****]

NGSSoftware Insight Security Research Advisory

Name: 			OracleJSP 
Systems Affected: 	Oracle 9iAS
Platforms:		All Operating Systems
Severity:		Medium/High Risk
Vendor URL: 		http://www.oracle.com/
Author:			David Litchfield (david@nextgenss.com)
Date:			6th February 2002
Advisory number:	#NISR06022002C
Advisory URL:		http://www.nextgenss.com/advisories/orajsp.txt


Description
***********
The web service with Oracle 9iAS is powered by Apache and provides many application 
environments with which to offer services from the site. These include SOAP, PL/SQL, 
XSQL and JSP. An security issue exists in the OracleJSP environment where an attacker 
can get access to the source code of the of the translated JSP page. There is a second 
issue relates to an attacker gaining access to the globals.jsa contents.


Details
*******
When a user requests a JSP page from a server running OracleJSP the JSP page is 
translated, compiled and executed with the results being returned to the requesting 
client. During this process three intermediary files are created. Assuming the JSP 
page is named "foo.jsp"

_foo$__jsp_StaticText.class
_foo.class
_foo.java

these are stored in the /_pages directory. If foo.jsp existed in a subdirectory named 
"bar", i.e. /bar/foo.jsp, a "_bar" directory would be created under the "_pages" 
directory and the three files placed here.

For more details on exact naming conventions please read
http://download-west.oracle.com/otndoc/oracle9i/901_doc/java.901/a90208/trandepl.htm


The problem arises due to the fact that translated .java file contains the clear text 
source code and these can be accessed directly. As this will often contain sensitive 
information such as a database UserID and password and business logic this is 
considered as a security risk.


Further to this if the JSP application is using a globals.jsa file for setting 
application wide settings an attacker may access this directly and gain access to the 
contents. This poses the same threat: as the globals.jsa can contain sensitive 
information it must be protected.


Fix Information
***************
To address these problems edit the httpd.conf file found in the 
$ORACLE_HOME$/apache/apache/conf directory.


To prevent access to the globals.jsa file add the following entry:

<Files ~ "^\globals.jsa">
    Order allow,deny
    Deny from all
</Files>

To prevent access to the .java pages add the following entry:

<Location /_pages>
    Order deny,allow
    Deny from all
</Location>


Note that if the JSP pages are stored in a aliased directory (i.e. not a subdirectory 
of "htdocs") then it is necessary to add an entry of

<Location /dirname/_pages>
    Order deny,allow
    Deny from all
</Location>

when "dirname" is the name of the aliased directory.


Oracle were informed of these issues on the 17th of December.

[***** End NGSSoftware Advisory #NISR06022002C *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of NGSSoftware for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

M-037: Oracle 9iAS Multiple Buffer Overflows in the PL/SQL Module 
M-038: Cisco Secure Access Control Server NDS User Authentication Vulnerability
M-039: Microsoft Telnet Server Buffer Overflow Vulnerability
M-040: MS Exchange - Incorrectly Sets Remote Registry Permissions
M-041: Microsoft Internet Explorer Cumulative Patch
M-042: Multiple Vulnerabilities in Multiple Implementations of SNMP
M-043: Hewlett-Packard Buffer Overflow in Telnet Server Vulnerability
M-044: SQL Server Remote Data Source Function Contain Unchecked Buffers
M-046: Red Hat "ncurses" Vulnerability
M-047: Oracle PL/SQL EXTPROC Database Vulnerability