5 Replies Latest reply: Mar 4, 2011 10:32 AM by Ken Vincent-Oracle RSS

    Security Vulnerabilities on OAS 10.1.2.3

    844233
      Hello,

      I installed the latest security patch 10031947 on my server (Infra & Midtier), and after a new security scan I'm still receiving the following vulnerabilities:

      However, the patches did not resolve the following vulnerabilities and they still exist.
      •     PM12041 Open ipnsec cve-2010-0067 SSDEAPP10[204.53.90.45] - FOUNDSCAN HIGH VULN #7686.
      ORACLE APPLICATION SERVER ORACLE CONTAINERS FOR J2EE COMPONENT REMOTE CODE EXECUTION VULNERABILITY

      •     PM12045 Open ipnsec cve-2009-0217 SSDEAPP10[204.53.90.45] - FOUNDSCAN MEDIUM VULN #7089.
      ORACLE APPLICATION SERVER SECURITY DEVELOPER TOOLS COMPONENT HMAC TRUNCATION AUTHENTICATION BYPASS VULNERABILITY

      •     PM12044 Open ipnsec cve-2009-1976 SSDEAPP10[204.53.90.45] - FOUNDSCAN MEDIUM VULN #7092.
      ORACLE APPLICATION HTTP SERVER COMPONENT UNSPECIFIED VULNERABILITY (CVE-2009-1976)

      •     PM12043 Open ipnsec cve-2009-3407 SSDEAPP10[204.53.90.45] - FOUNDSCAN MEDIUM VULN #7283.
      ORACLE APPLICATION SERVER PORTAL COMPONENT UNSPECIFIED VULNERABILITY (CVE-2009-3407)

      •     PM12040 Open ipnsec cve-2009-0974 SSDEAPP10[204.53.90.45] - FOUNDSCAN MEDIUM VULN #7961.
      ORACLE APPLICATION SERVER PORTAL UNSPECIFIED REMOTE DENIAL OF SERVICE VULNERABILITY

      •     PM12039 Open ipnsec cve-2009-0983 SSDEAPP10[204.53.90.45] - FOUNDSCAN MEDIUM VULN #7991. ORACLE APPLICATION SERVER PORTAL REMOTE DENIAL OF SERVICE VULNERABILITY


      How can I find the correct patches to can eliminated the listed vulnerabilities?

      Thanks in advance.

      Veronica.
        • 1. Re: Security Vulnerabilities on OAS 10.1.2.3
          Alex Barclay-Oracle
          Veronica,

          Thanks for being the first poster on our new forum.

          Let me investigate this a little more and get back with you, it looks like these are more application issues from a first glance and may be false positives. But, do me a favor and let me know what security scanner your using and what version of Oracle Solaris. I may have to refer you to our support team, but let's investigate a little further. If this is an priority issue that you need support on, please contact support via your normal methods.

          -Alex
          • 2. Re: Security Vulnerabilities on OAS 10.1.2.3
            844233
            Thanks a lot.

            The product name to scan the vulnerabilities is McAfee foundstone enterprise.

            OAS version is 10.1.2.3.0:

            $ ./opmnctl status

            Processes in Instance: Infra.ssdeapp10.sdde.deere.com
            ------------------------------------------------+---------
            ias-component | process-type | pid | status
            ------------------------------------------------+---------
            LogLoader | logloaderd | N/A | Down
            dcm-daemon | dcm-daemon | 23080 | Alive
            OC4J | OC4J_SECURITY | 23019 | Alive
            OC4J | oca | 23020 | Alive
            HTTP_Server | HTTP_Server | 23016 | Alive
            OID | OID | 23039 | Alive
            DSA | DSA | N/A | Down


            $ ./emctl status iasconsole
            Oracle Enterprise Manager 10g Application Server Control Release 10.1.2.3.0
            Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.
            http://ssdeapp10.sdde.deere.com:1156/emd/console/aboutApplication
            Oracle Enterprise Manager 10g Application Server Control is not running.
            ------------------------------------------------------------------
            Logs are generated in directory /usr/oraias/Infra/sysman/log

            pe00357@ssdeapp10:/usr/oraias/Infra/bin

            pe00357@ssdeapp10:/usr/oraias/MidTier/opmn/bin
            $ ./opmnctl status

            Processes in Instance: MidTier.ssdeapp10.sdde.deere.com
            ------------------------------------------------+---------
            ias-component| process-type | pid | status
            ------------------------------------------------+---------
            LogLoader | logloaderd | N/A | Down
            dcm-daemon | dcm-daemon | 2397 | Alive
            OC4J | home | 2589 | Alive
            OC4J | OC4J_Portal | 2587 | Alive
            OC4J | OC4J_BI_Forms | 2586 | Alive
            WebCache | WebCache | 2391 | Alive
            WebCache | WebCacheAdmin | 2387 | Alive
            HTTP_Server | HTTP_Server | 2398 | Alive
            Discoverer | ServicesStatus | 2395 | Alive
            Discoverer | PreferenceServer | 2396 | Alive
            wireless | performance_server | 2838 | Alive
            wireless | messaging_server | 2836 | Alive
            wireless | OC4J_Wireless | 2839 | Alive
            DSA | DSA | N/A | Down

            pe00357@ssdeapp10:/usr/oraias/MidTier/bin
            $ ./emctl status iasconsole
            Oracle Enterprise Manager 10g Application Server Control Release 10.1.2.3.0
            Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.
            http://ssdeapp10.sdde.deere.com:1810/emd/console/aboutApplication
            Oracle Enterprise Manager 10g Application Server Control is not running.
            ------------------------------------------------------------------
            Logs are generated in directory /usr/oraias/MidTier/sysman/log

            Installed Patch List:
            =====================
            1) Patch 9974899 applied on Wed Feb 09 14:49:30 CST 2011
            Unique Patch ID: 12918562
            [ Bug fixes: 7552946 4692585 6790178 7529830 6526074 9974899 8416899 6018059 6024000 6772953 7514592 7529859 5596834 6844221 5724681 7430171 6471931 5979883 5155185 6060499 5740055 6134487 6912781 6681624 5985742 4473073 7021360 4685283 4635520 6433471 5902630 9288120 7519011 6237650 7195030 5763122 5999450 6917549 6150541 5562810 6647933 9204863 5453754 6153975 5697416 5932346 5573438 7146872 7574599 6682888 7229577 9195865 6655345 6713795 5025985 9213612 7113141  ]
            2) Patch 9952279 applied on Wed Feb 09 14:47:15 CST 2011
            Unique Patch ID: 12918562
            [ Bug fixes: 5220448 6350565 6079585 9655023 4175906 5901912 6864078 4486132 5896963 6647005 5095815 4519477 5347751 4691191 4754900 5861360 8290534 5382595 5071931 5458543 6607951 5179574 4329444 5029950 5464895 5029952 5029954 5738539 5648727 4402808 5631915 5352587 4871035 5091108 5114396 6455161 5584790 4605877 4751932 5751672 4522921 5490845 6753516 8534394 3345756 5933477 7592360 5094098 5015557 5675556 4679094 5154689 5222931 5910829 5754150 5227879 4152843 4661844 6079603 5637094 7044603 4905112 6016022 4581220 8290629 4166537 7120513 5276400 7154097 7154098 5408664 5563256 6395024 4146291 6397568 6854919 9108675 5901877 4768040 5049074 7022400 5960451 5490935 5049077 4542188 4680009 4593539 4555795 5406923 4359124 5689908 5258410 4969005 3962946 3743912 5648102 9352208 5057964 8836540 3935623 5014128 4873311 4439469 4331689 6705965 4597251 4903532 6055387 7576788 5650178 5225797 4047969 4554284 5376215 4874628 5401921 5151518 4458415 4900129 5226235 7375686 5122955 5095648 4561867 5239126 4712638 4925103 5354517 4745776 5998987 4939157 6404864 4627335 7300525 5501362 4587572 4969029 9119261 6270140 5055442 7334756 6639839 4492467 5222032 5151675 5242647 6999528 7137797 6864202 6737308 4587431 5605370 6647068 9952279 6826532 4335559 5417371 4671216 5065930 9362645 4575854 6130365 5355257 5243019 7173149 6639553 4966417 5884075 4899479 4610820 3837600 5092688 4528572 4449900 4601861 6009358 4226736 6404447 4348230 8785236 5233111 5644862 4197970  ]
            3) Patch 9679852 applied on Wed Feb 09 14:41:11 CST 2011
            Unique Patch ID: 12918562
            [ Bug fixes: 9772332 9357234 9765884 7379127 7608327 7156655 7156648 9173023 8265594 7135493 8537027 9679852 7135488 8298232 7379122  ]
            4) Patch 9282569 applied on Wed Aug 18 11:00:44 CDT 2010
            Unique Patch ID: 12575148
            [ Bug fixes: 8316127 5969391 7573720 6395358 7567072 8287889 6446152 7231982 8342525 7242694 8319129 6933210 6128859 7703734 7021759 7001328 5733397 7046878 6683962 7150529 6999812 7215354 6251633 7164050 7171994 6770810 7029083 7304653 7595761 5950737 7657973 6391947 7240862 7359193 7358376 8866722 6078303 6857221 8928753 8727236 7329300 6790720 7000696 7114153 7319888 8808264 7351564 7833659 8339004 6460568 8485711 7286928 5465339 7126045 6821297 7350891 6724714 6823259 7175618 6704955 8552429 7261996 7123031  ]
            5) Patch 7121788 applied on Wed Aug 18 07:53:44 CDT 2010
            [ Bug fixes: 7121788  ]




            OPatch succeeded.
            • 3. Re: Security Vulnerabilities on OAS 10.1.2.3
              Eric P. Maurice
              Hi Veronica,

              As Alex indicated, you may be getting false results from your scanner.
              In regards to your question. All these vulnerabilities are for various versions of Oracle Application Server.
              1.     CVE-2010-0067 was fixed with the January 2009 Critical Patch Update, see http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html
              2.     CVE-2009-0217 and CVE-2009-1976 were fixed with the July 2009 Critical Patch Update, see http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html
              3.     CVE-2009-3407 was fixed with the October 2009 Critical Patch Update, see http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
              4.     CVE-2009-0974 and CVE-2009-0983 were fixed with the April 2009 Critical Patch Update, see http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html

              CVEs are unique identifiers for vulnerabilities. You can search these in the CVE database located at http://cve.mitre.org/. However, I highly recommend that you use the Security Alerts and Critical Patch Updates page as the most authoritative source of vulnerability information for Oracle products. This page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html. It lists all the Critical Patch Updates and Security Alerts that were issued by Oracle. From there, you can get to all the security advisories, and get the links to the proper documentation as well as instructions on how to download patches.

              In regards to the specific vulnerabilities you asked about, I recommend you check the advisories I listed at the beginning of this e-mail. Check out the last column of the Application Server risk matrix, and look if the version you are running (10.1.2.3) is affected by the vulnerabilities. If so, apply the most recent Critical patch Update for Oracle Application Server, and you should be all set!
              • 4. Re: Security Vulnerabilities on OAS 10.1.2.3
                844233
                I installed the most recently CPU Patches, that why I don't know there are still in the installation security vulnerabilities.

                Am I did something wrong in the installation?

                Here the patches I installed:

                          LATEST CPU JAN 2011     
                          3.2.7.5 Patch Availability for Oracle Fusion Middleware 10.1.2.3     
                               
                          Table 32 describes patch information for Oracle Fusion Middleware 10.1.2.3.     
                               
                          For each home you are about to administer, find the appropriate patches based on the components installed in that home. Then, apply those patches in the order listed. For information about the different types of installations, see My Oracle Support Note 405972.1, Oracle Application Server 10g Examples for Critical Patch Updates - Plus FMW 11g.     
                               
                          Table 32 Patch Availability for Oracle Fusion Middleware 10.1.2.3     
                               
                          Oracle Fusion Middleware 10.1.2.3     UNIX
                          Infrastructure home (Oracle Universal Installer)     Patch 6640838
                               
                               
                          Infrastructure home     Patch 10031947
                               
                               
                          Middle Tier home (Oracle Universal Installer)     Patch 6640838
                               
                               
                          Middle tier home     Patch 10031947

                I didn't installed the following as I just used forms and reports.
                Developer Suite home     Patch 10031947
                Portal 10.1.4.2 Repository home     Patch 9386084
                     
                     
                Portal 10.1.2.3 Repository home     Patch 9386107
                Portal 10.1.2.3/10.1.4.2 middle tier home     Patch 7379081
                JDeveloper home     Patch 7573867
                     
                     
                Discoverer Admin/Desktop home     NA
                Discoverer Plus or Viewer / Middle-tier home     Patch 10233659
                OC4J home (Standalone)     Patch 9452262
                Oracle Forms home     Patch 9593176
                JInitiatorFoot 1      Patch 5882294
                     
                     
                Middle Tier home (Oracle Wireless)     Patch 9774786
                • 5. Re: Security Vulnerabilities on OAS 10.1.2.3
                  Ken Vincent-Oracle
                  Veronica,


                  -- The question here is about CPU for the Oracle Application Server 10g 10.1.2.3 product and remaining potential vulnerabilities due to a third-party scan result.


                  This is actually posted in an incorrect Forum. This Forum is for the Solaris OS product. (The AS 10.1.2.3 product is here: Oracle Application Server - General ).

                  Also, Forums in general are not intended for a vulnerability discussions. (Note "security best practices" are different than "vulnerabilities"). Information regarding vulnerabilities in Oracle products should only be from the Oracle Security site, (where Eric also referred to), where you can see the policies and correct actions to take if you have a new vulnerability to address and/or report:

                  http://www.oracle.com/technetwork/topics/security/alerts-086861.html


                  Oracle customers can review the following My Oracle Support document for the combination of concerns here:

                  Note 1074055.1 Security Vulnerability FAQ for Oracle Application Server (Fusion Middleware)

                  See: "5. Scan Reports" for the result of your scan:

                  It is mainly referring to the following:

                  Reporting Security Vulnerabilities
                  [ http://www.oracle.com/technetwork/topics/security/alerts-086861.html#ReportingVulnerabilities ]

                  Security Vulnerability Fixing Policy and Process
                  [ http://www.oracle.com/us/support/assurance/fixing-policies/index.html ]

                  In the case of security scans from a third party, it is unknown if the scan is actually exposing the vulnerability, only checking for a version, or something that is usually present to indicate the vulnerability could be there. The scanning vendor should be contacted to ensure it considers Oracle products and Critical Patch Updates applied. Such vendors can also contact and work with Oracle Security to report vulnerabilities, and/or check if items are fixed in specific CPUs.

                  (and as Eric said, the CVE's associated are listed in the Oracle Security Site)

                  If needing to double-check the patching requirements, the following may be used :

                  Note 405972.1 - Oracle Application Server 10g Examples for Critical Patch Updates - Plus FMW 11g

                  It does appear the correct patches are applied, as the list is directly from the Patch Availability Document from the Security Alert. If its required to check if installed as intended, a Service Request would be recommended. The installation should be checked by referring to the opatch installation logs and checking actions performed by the installation. It would be better to upload the install logs to a Service Request for this check.

                  The scanning vendor should also be consulted on what is being checked, and issues reported according to policy. If there are more questions, we can also address in the Service Request.


                  ...Ken