Oracle 9iAS Java Process Manager /oprocmgr-status Anonymous Process Manipulation

medium Nessus Plugin ID 10851

Synopsis

It is possible to obtain the list of Java processes running on the remote host anonymously, as well as to start and stop them.

Description

The remote host is an Oracle 9iAS server. By default, accessing the location /oprocmgr-status via HTTP lets an attacker obtain the list of processes running on the remote host, and even to to start or stop them.

Solution

Restrict access to /oprocmgr-status in httpd.conf

See Also

http://www.nessus.org/u?80fe4531

Plugin Details

Severity: Medium

ID: 10851

File Name: oracle9i_java_process_manager.nasl

Version: 1.27

Type: remote

Family: Databases

Published: 2/7/2002

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Information

CPE: cpe:/a:oracle:application_server_web_cache, cpe:/a:oracle:application_server

Required KB Items: www/OracleApache

Exploit Ease: No known exploits are available

Patch Publication Date: 2/6/2002

Vulnerability Publication Date: 2/6/2002

Reference Information

CVE: CVE-2002-0563

BID: 4293

CWE: 287