2008 Update
- For a complete treatment of the topic of Oracle security on the web,
see these books and resources:
On March 12th, Oracle released an alert detailing
vulnerabilities in the Oracle web Cache.
Versions affected are:
Oracle Application Server Web Cache 10g (9.0.4.0.0)
Oracle9iAS Web Cache 9.0.3.1.0
Oracle9iAS Web Cache 9.0.2.3.0
Oracle9iAS Web Cache 2.0.0.4.0
All operating systems are affected. Versions of Oracle
Application Server 10g pending release (Windows, etc) will
contain the fix when the production version is released.
Also affected is the Oracle E-Business Suite 11i if it
is utilizing the Oracle Web Cache.
Oracle is not releasing detail on how to exploit this vulnderability
but they are saying that the severity is high and recommending all Web
Cache users apply the patch when available. Because the users
connect directly to the Web Cache to process request, firewalls will not
protect against this problem.
The details can be found at the below link:
http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=265308.1
The vulnerability only extends to the Oracle Web Cache. Those
systems that by pass the Web Cache and connect directly to OHS are
not affected.
A check of the patch availability on Metalink showed that the patch
is currently not available for download but should be available soon.
