Oracle 9iAS Java Process Manager /oprocmgr-status Anonymous Process Manipulation

This script is Copyright (C) 2002-2014 Matt Moore


Synopsis :

It is possible to obtain the list of Java processes running on the
remote host anonymously, as well as to start and stop them.

Description :

The remote host is an Oracle 9iAS server. By default, accessing
the location /oprocmgr-status via HTTP lets an attacker obtain
the list of processes running on the remote host, and even to
to start or stop them.

See also :

http://www.nessus.org/u?80fe4531

Solution :

Restrict access to /oprocmgr-status in httpd.conf

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.8
(CVSS2#E:H/RL:W/RC:ND)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 10851 ()

Bugtraq ID: 4293

CVE ID: CVE-2002-0563