COMMAND

    Oracle Application Server

SYSTEMS AFFECTED

    Oracle Application Server version 4.0 (All revisions prior to 4.0.8 are affected)

PROBLEM

    Internet Security  Systems (ISS)  X-Force has  discovered multiple
    vulnerabilities in  the Oracle  Application Server  (OAS) that may
    lead  to  local  super-user  access.   Attackers  may  use   these
    vulnerabilities to destroy root owned  files as well as gain  root
    access.  An  account on the  target system is  required to exploit
    these vulnerabilities.

    Server Startup Vulnerabilities:
    ===============================
    The Oracle  Application Server  is owned  by the  user 'oracle' in
    most configurations.   This includes the  administrative utilities
    to start, stop,  and manipulate the  servers.  Unprivileged  users
    may not bind  servers to ports  below 1024.   Oracle has made  the
    'owslctl' utility  root, which  allows normal  users to  start the
    server on privileged ports.  Attackers may take advantage of  this
    design to compromise super-user access.

    Apache Startup Vulnerabilities:
    ===============================
    The  Oracle  Application  Server  offers  web  administrators  the
    option  to  install  and  configure  HTTP  listeners.   The Oracle
    Management server supports both  Netscape and Apache listeners  in
    addition to those provided by Oracle with the Application  Server.
    An  administrator  choosing  to  install  an  Apache listener must
    supply a  unique name,  a path  to the  server's executable, and a
    configuration  file.   Once   supplied,  a  backend  setuid   root
    executable attempts to start the Apache server.  An attacker  with
    an unprivileged account on the target system may trick  'apchlctl'
    into executing any  arbitrary command as  root.  The  Apache start
    executable is also  unsafe in handling  write() calls and  certain
    files created will follow symbolic links.

    These vulnerabilities were primarily researched by Dan Ingevaldson
    of  the  ISS  X-Force.   ISS  X-Force  would  like to thank Oracle
    Corporation   for   their   response   and   handling   of   these
    vulnerabilities.

SOLUTION

    Oracle has supplied ISS X-Force  with two potential fixes for  the
    described vulnerabilities.  Oracle has  informed ISS  that fix  1,
    which is most secure, will affect OAS failure recovery for  Oracle
    Web Listener  processes running  on port  numbers <  1024.  Fix 2,
    which is less secure, requires that the Oracle account be  treated
    as a  trusted account  and customers  should take  all precautions
    necessary to  protect access  to it.   ISS recommends  that Oracle
    Application Server administrators  carefully evaluate these  fixes
    before  they  are  applied.   Oracle  customers can find important
    information  on  this  OAS  security  issue  on Oracle's web-based
    Metalink system at:

        http://metalink.oracle.com

    Customers  should  reference  document  number  76484.1  under the
    advanced search engine available on Metalink.  Customers can  also
    find  an  alert  under  Oracle  Application  Server  on the Oracle
    Metalink system.