Oracle9iAS Web Cache Denial of Service

There exists two different denial of service situations in Oracle Web Cache 9.0.2.0.0. The first one is triggered by issuing a HTTP GET request containing at least one dot-dot-slash contained in the URI:

GET /../ HTTP/1.0
Host: whatever
[CRLF]
[CRLF]

The second denial of service is triggered by issuing an malformed GET request:

GET / HTTP/1.0
Host: whatever Transfer-Encoding: chunked
[CRLF]
[CRLF]

Using the SmartView Tracker observe rejects for service 'http'. Identify rejects with the following pattern:

reason: Header pattern detected: Transfer-Encoding: chunked

Use FireWall-1 HTTP Security Server in order to reject HTTP GET request containing at least one dot-dot-slash contained in the URI (../) . This would eliminate the first problem. In order to avoid problems for other web services, it is highly recommended to define a specific HTTP resource rule that will contain the Web cache as the destination target. Note that the HTTP Security Server performs a directory traversal prevention check as well.

In order to solve the malformed GET request denial of service problem, one should use a new security component, introduced in Feature Pack 3: the P2P catcher. Using this tool, one can define to block the Transfer-Encoding: chunked pattern. The following procedure should be used:

Use the database tool , specify the forbidden HTTP headers and header patterns.

Change the global property "http_detect_header_pattern_mode" from false (the default value) to true.

Define new http pattern using the following attributes: match_string = Transfer-Encoding Value=chunked

Install the policy.