Oracle9i Application Server (9iAS) contains a number of unsecure default configurations that could grant attackers unauthorized access to administrative functions or data stored on the system.
The first configuration issue concerns the OWA_UTIL Procedural Language/Structured Query Language (PL/SQL) package. This package exposes several procedures to the web. More importantly, some of the procedures are accessible via anonymous web access. An attacker can exploit this vulnerability to view the source code of PL/SQL applications, acquire access credentials for other servers, access other servers, or perform arbitrary SQL queries.
The second issue allows an attacker to access the PL/SQL gateway administration web interface without the need to authenticate. An attacker could take advantage of this vulnerability to modify Data Access Descriptors (DAD) and cache settings. By modifying these elements, the attacker could access PL/SQL applications or create a denial of service (DoS) condition for legitimate users. Additionally, an attacker can exploit two buffer overflow vulnerabilities if he or she gains access to the gateway administration web interface. These vulnerabilities are discussed in Alert 3253.
The third vulnerability involves the Simple Objects Access Protocol (SOAP). This protocol is enabled by default and can permit unauthenticated remote users to activate and deactivate SOAP services. This could enable the attacker to modify the behavior of the target system, obtain restricted data, or execute other unauthorized commands.
The fourth vulnerability concerns Oracle's implementation of the Apache web server and its associated services. Some of these services can be accessed by an unauthenticated remote user. The most significant of these services is the Dynamic Monitoring Service. Remote attackers can use the Dynamic Monitoring Service to gather information about the internal workings of the system to prepare for future attacks.
The fifth and final vulnerability is the result of a large number of default account names and passwords. Depending upon the manner in which Oracle9iAS has been installed, up to 160 default accounts with known passwords could be available.
Vendor-supplied workarounds are available.