Source: cve@mitre.org
The default configurations of (1) the port listener and (2) modplsql in Oracle Internet Application Server (IAS) 3.0.7 and earlier allow remote attackers to view privileged database information via HTTP requests for Database Access Descriptor (DAD) files.
Oracle Internet Application Server (IAS) versions 3.0.7 and earlier are vulnerable to a critical information disclosure flaw. This allows remote attackers to access sensitive database information, potentially leading to complete system compromise. Exploitation leverages default configurations to expose Database Access Descriptor (DAD) files via HTTP requests.
Step 1: Target Identification: The attacker identifies a vulnerable Oracle IAS server running a version 3.0.7 or earlier.
Step 2: Request Construction: The attacker crafts an HTTP request targeting a known or guessed location of a DAD file. This often involves knowing the default directory structure or common file names.
Step 3: Request Submission: The attacker sends the HTTP request to the vulnerable server.
Step 4: Information Retrieval: The server, due to the insecure configuration, processes the request and returns the contents of the DAD file in the HTTP response.
Step 5: Credential Extraction: The attacker extracts sensitive database connection credentials (username, password, database server address) from the DAD file contents.
Step 6: Database Access: The attacker uses the extracted credentials to connect to the database and potentially execute malicious SQL queries, leading to data exfiltration or system compromise.
The vulnerability stems from insecure default configurations within Oracle IAS. Specifically, the port listener and the modplsql module fail to adequately restrict access to DAD files. These files contain sensitive database connection details, including usernames, passwords, and database server addresses. The lack of proper access controls allows unauthenticated users to request and retrieve these files, effectively providing them with the credentials needed to connect to the underlying database and potentially execute arbitrary SQL queries. The root cause is a design flaw where the system trusts HTTP requests without proper authorization checks for accessing DAD files. This is not a buffer overflow or race condition, but a simple lack of access control.
This vulnerability is a known attack vector for various threat actors seeking initial access and data exfiltration. While no specific APTs are directly linked, the ease of exploitation makes it attractive to a wide range of attackers. This vulnerability is not listed in the CISA KEV at the time of this report, but it is a high-risk vulnerability due to its ease of exploitation and potential impact.
Monitor HTTP traffic for requests targeting known DAD file locations (e.g., /pls/ or /dad/).
Analyze HTTP response codes for successful retrieval of DAD files (e.g., 200 OK).
Inspect HTTP response bodies for the presence of database connection strings or sensitive information.
Review web server access logs for suspicious activity, such as repeated requests for DAD files from the same IP address.
Implement network intrusion detection systems (IDS) with signatures specifically designed to detect exploitation attempts against this vulnerability.
Upgrade to a patched version of Oracle IAS. This is the most effective solution.
If upgrading is not immediately possible, implement strong access controls to restrict access to DAD files. This may involve modifying the web server configuration to deny access to these files or placing them outside the web server's document root.
Review and harden the default configurations of the port listener and modplsql module.
Implement a Web Application Firewall (WAF) to filter malicious HTTP requests.
Regularly scan the system for vulnerabilities and apply security patches promptly.
Rotate database credentials regularly.