Oracle9i Application Server MOD_ORADAV module denial of service
| oracle-appserver-modoradav-dos (11331) |  Medium Risk |
Description:
Oracle9i Application Server is vulnerable to a denial of service attack, caused by format string vulnerability in the MOD_ORADAV module. A remote attacker could send a specially-crafted URL request to the DAV_PUBLIC or DAV_PORTAL directory to compromise the MOD_ORADAV module and cause a denial of service against the affected server.
Platforms Affected:
- Oracle, Application Server 9.0.2
- Oracle, Application Server 9.0.3
Remedy:
Apply the appropriate patch for your system, as listed in Oracle Security Alert #52. See References.
Consequences:
Denial of Service
References:
- CERT Advisory CA-2003-05, Multiple Vulnerabilities in Oracle Servers at http://www.cert.org/advisories/CA-2003-05.html.
- CIAC Information Bulletin N-046, Multiple Vulnerabilities in Oracle Servers at http://www.ciac.org/ciac/bulletins/n-046.shtml.
- NGSSoftware Insight Security Research Advisory #NISR16022003d, Oracle9i Application Server Format String Vulnerability at http://www.nextgenss.com/advisories/ora-appservfmtst.txt.
- Oracle Security Alert #52, Two Security Vulnerabilities in Oracle9i Application Server at http://otn.oracle.com/deploy/security/pdf/2003alert52.pdf.
- BID-6851: Oracle 9i Application Server mod_oradav Module Format String Vulnerability
- US-CERT VU#511194: Oracle9i Application Server MOD_ORADAV Module vulnerable to DoS
Reported:
Feb 11, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net