Oracle9i SOAP Vulnerability Found
The vulnerability is within SOAP (Simple Object Access Protocol) messages whose XML contains carefully constructed DTDs (Data Type Definitions), according to Oracle Technology Networks security alert, which can be viewed here. The alert notes that SOAP is the basis of Web services, which are therefore affected as well.
To exploit the vulnerability, a malicious user requires access to SOAP-enabled servers. A knowledgeable attacker can exploit the vulnerability to cause a DoS (denial of service) against the database and application servers.
XML and SOAP are installed by default in both the database and application servers when the Oracle HTTP Server is installed.
Risk is high in Oracle9i Application Server Release 2, Version 22.214.171.124 and earlier, since authentication to SOAP is not turned on by default. Risk is only moderate post-Release 2, Version 126.96.36.199 and in Oracle9i Database Server, since those later versions require authentication to SOAP.
Unauthenticated clients dont pose a threat if SOAP is protected by client authentication before the processing of SOAP XML data structures. Oracles security alert gives the example of SSL sessions protected by Client X.509 certificates as being protected against unauthenticated clients.
Disabling SOAP is a workaround for sites not using SOAP. Thats done by removing or renaming the following SOAP library, which is delivered in the following JAR file: [Oracle Home]/soap/lib/soap.jar.
Oracles alert strongly recommends customers apply a workaround or patch and that they review the severity rating for this alert and patch accordingly. Click here for a definition of severity ratings, and click here for the patch download.
Check out eWEEK.coms Database Center at http://database.eweek.com for more database news, views and analysis.