A high risk involving SOAP processing in Oracle9i Application Server and Oracle9i Database Server threatens XML and Web services in those products.
Oracle Corp. last week revealed that a potential security vulnerability has been discovered in its Oracle9i Application Server and Oracle9i Database Server.
The vulnerability is within SOAP (Simple Object Access Protocol) messages whose XML contains carefully constructed DTDs (Data Type Definitions), according to Oracle Technology Networks security alert, which can be viewed here. The alert notes that SOAP is the basis of Web services, which are therefore affected as well.
To exploit the vulnerability, a malicious user requires access to SOAP-enabled servers. A knowledgeable attacker can exploit the vulnerability to cause a DoS (denial of service) against the database and application servers.
XML and SOAP are installed by default in both the database and application servers when the Oracle HTTP Server is installed.
Risk is high in Oracle9i Application Server Release 2, Version 126.96.36.199 and earlier, since authentication to SOAP is not turned on by default. Risk is only moderate post-Release 2, Version 188.8.131.52 and in Oracle9i Database Server, since those later versions require authentication to SOAP.
Unauthenticated clients dont pose a threat if SOAP is protected by client authentication before the processing of SOAP XML data structures. Oracles security alert gives the example of SSL sessions protected by Client X.509 certificates as being protected against unauthenticated clients.
Disabling SOAP is a workaround for sites not using SOAP. Thats done by removing or renaming the following SOAP library, which is delivered in the following JAR file: [Oracle Home]/soap/lib/soap.jar.
Oracles alert strongly recommends customers apply a workaround or patch and that they review the severity rating for this alert and patch accordingly. Click here for a definition of severity ratings, and click here for the patch download.
Check out eWEEK.coms Database Center at http://database.eweek.com for more database news, views and analysis.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.