Oracle 9iAS Java Process Manager /oprocmgr-status Anonymous Process Manipulation

2002-02-06T00:37:57
ID OSVDB:13152
Type osvdb
Reporter OSVDB
Modified 2002-02-06T00:37:57

Description

Vulnerability Description

Oracle 9iAS contains a flaw that may allow a malicious user to display and manipulate java processes remotely. The issue is triggered when an attacker accesses the /oprocmgr-status interface which does not require authentication. This facility allows the remote user to display a list of all java processes as well as start/stop them.

Technical Description

Note: This is a separate distinct issue than /dms0 covered by CVE-2002-0563

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to /oprocmgr-status in httpd.conf.

Short Description

Oracle 9iAS contains a flaw that may allow a malicious user to display and manipulate java processes remotely. The issue is triggered when an attacker accesses the /oprocmgr-status interface which does not require authentication. This facility allows the remote user to display a list of all java processes as well as start/stop them.

Manual Testing Notes

http://[target]/oprocmgr-status

References:

Related OSVDB ID: 705 Other Advisory URL: http://www.appsecinc.com/Policy/PolicyCheck7024.html Nessus Plugin ID:10851 Generic Informational URL: http://otn.oracle.com/products/ias/http/ohs-faq-v1022-part3.htm