Update Protection against Oracle Application Server 10g OPMN Service Format String Vulnerability
| Check Point Reference: | CPAI-2009-071 | |
| Date Published: | ||
| Preemptive Since: | ||
| Severity: | ||
| Source: | Secunia ID: 34693 | |
| Industry Reference(s): | ||
| Protection Provided by: |
IPS-1
|
|
| Who is Vulnerable? Oracle Application Server 10g | ||
| Vulnerability Description A vulnerability was reported in Oracle Application Server, a multi-platform solution for developing and deploying enterprise applications and web sites. The flaw is due to insufficient validation of the URI part of HTTP requests. Remote attackers could exploit this vulnerability by sending a crafted HTTP request containing a malicious URI string. Successful exploitation would allow the attacker to execute arbitrary code in the context of the affected process. |
||
|
Update/Patch Available Oracle has released an advisory addressing this vulnerability: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html |
|
|
Vulnerability Details The vulnerability lies in the Oracle Application Server OPMN service. Oracle Process Manager and Notification Server (OPMN) is essential for running Oracle Application Server and is installed with every Oracle Application Server installation type. The vulnerable code uses the URI string as part of a format string without validation. By embedding format strings, attackers may be able to inject and execute arbitrary code. |
Protection Overview By enabling this protection, IPS-1 will detect and block HTTP operations containing URI strings with '%'-escape sequences in them.
To configure the defense, select your product from the list below and follow the related protection steps.