Found by David Litchfield of NGSSoftware, the vulnerabilities include buffer overflows, insecure default settings, failures to enforce access controls and failure to validate input. CERT said the vulnerabilities could allow the execution of arbitrary commands or code, denial of service and unauthorized access to sensitive information.
Oracle has patched the vulnerabilities and recommended configuration changes. The patches may be found in Oracle Security Alert #28 and Oracle Security Alert #25, as well as on the MetaLink Web site (registration required). More security and patch information may be found here.
CERT warned of several buffer-overflow vulnerabilities in the way the PL/SQL module handles HTTP requests and configuration parameters. CERT said the default configuration settings in a range of components are insecure, and different components fail to apply access restrictions uniformly, exposing systems running Oracle Application Server and the information held in the underlying databases to risk. Two more buffer overflow vulnerabilities exist in code that processes configuration parameters that can be specified via the PL/SQL gateway Web administration interface. CERT said that by default, access to the PL/SQL gateway Web administration interface is not restricted.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i There are also multiple insecure configuration settings -- such as well-known default passwords and unrestricted access to applications and sensitive information -- in the default installation of Oracle Application Server. Additionally, Oracle Application Server does not uniformly enforce access restrictions, as different components do not adequately check authorization before granting access to protected resources. Litchfield also found one instance where the PL/SQL module doesn't properly handle a malformed HTTP request.
CERT said some of the vulnerabilities could allow execution with the privileges of the Apache process. On UNIX systems, Apache process usually runs as the "oracle" user, and on Windows systems the Apache process typically runs as the SYSTEM user. In either case, this would give an attack complete control of the system by exploiting these vulnerabilities.