Oracle 9iAS SOAP Default Configuration Unauthenticated Application Deployment

high Nessus Network Monitor Plugin ID 1593

Synopsis

A default installation of Oracle 9iAS v.1.0.2.2 was detected.

Description

In a default installation of Oracle 9iAS v.1.0.2.2, it is possible to deploy or undeploy SOAP services without the need of any kind of credentials. This is due to SOAP being enabled by default after installation in order to provide a convenient way to use SOAP samples. However, this feature poses a threat to HTTP servers with public access since remote attackers can create SOAP services and then invoke them remotely. Since SOAP services can contain arbitrary Java code in Oracle 9iAS this means that an attacker can execute arbitrary code in the remote server.

Solution

Disable SOAP.

See Also

http://www.oracle.com/technology/deploy/security/pdf/ias_soap_alert.pdf

http://www.cert.org/advisories/CA-2002-08.html

http://www.kb.cert.org/vuls/id/476619

http://www.nextgenss.com/papers/hpoas.pdf

http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf,http://www.cert.org/advisories/CA-2002-08.html,http://www.kb.cert.org/vuls/id/476619

Plugin Details

Severity: High

ID: 1593

Family: Web Servers

Published: 8/20/2004

Updated: 3/6/2019

Nessus ID: 11227

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 7.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:H/RL:W/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:application_server

Reference Information

CVE: CVE-2001-1371

BID: 4289