How to remediate – Oracle Application Server Webcache Requests OHS mod_access Res…

1. Introduction

The Oracle Application Server Webcache Requests OHS mod_access Res… vulnerability is an information disclosure issue affecting Oracle HTTP Server (OHS). It allows users to bypass intended access controls by directly accessing protected URLs through the web cache instead of OHS. This could lead to unauthorised viewing of sensitive data. Affected systems are typically those running vulnerable versions of Oracle Application Server with OHS enabled. The likely impact is low confidentiality, integrity and availability.

2. Technical Explanation

The vulnerability occurs because OHS does not correctly enforce access restrictions when requests are handled by the Web Cache component. An attacker can circumvent mod_access checks by crafting a request that targets the web cache directly. The CVE associated with this issue is CVE-2005-1383.

• Root cause: OHS fails to prevent access to protected URLs when requests are routed through the Web Cache.
• Exploit mechanism: An attacker sends a request directly to the web cache, bypassing mod_access rules configured in OHS. For example, an attacker could attempt to access /sensitive/data by sending a request to the web cache endpoint instead of going through OHS’s access control layer.
• Scope: Affected products include Oracle HTTP Server (OHS) versions prior to those with the fix applied.

3. Detection and Assessment

You can confirm whether your system is vulnerable by checking the OHS configuration and verifying that requests are being handled correctly. A thorough method involves testing access to protected URLs directly through the web cache.

• Quick checks: Check the OHS version using httpd -v or review the httpd.conf file for relevant settings.
• Scanning: Nessus vulnerability ID 88bc18a1 can identify this issue. This is provided as an example only.
• Logs and evidence: Examine OHS access logs for requests that bypass mod_access rules. Look for patterns where requests are hitting the web cache instead of OHS directly. The log file location varies by installation, but is typically found in /var/log/apache2 or similar directories.

httpd -v

4. Solution / Remediation Steps

The following steps detail how to fix the issue.

4.1 Preparation

• Ensure you have access to edit the httpd.conf file with appropriate permissions. A roll back plan is to restore the backed-up httpd.conf file.
• A change window may be required depending on your organisation’s policies, and approval from a system owner might be needed.

4.2 Implementation

1. Step 1: Open the httpd.conf file in a text editor.
2. Step 2: Locate the section related to Web Cache configuration.
3. Step 3: Add or modify the line ‘UseWebCacheIP’ to be enabled (set to On).
4. Step 4: Save the changes to httpd.conf.
5. Step 5: Restart OHS for the changes to take effect.

4.3 Config or Code Example

Before

# Web Cache configuration
# ... other settings ...

After

# Web Cache configuration
UseWebCacheIP On
# ... other settings ...

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this type of issue.

• Practice 1: Least privilege – configure access controls so that users only have the permissions they need, reducing the impact if a vulnerability is exploited.
• Practice 2: Input validation – validate all user input to block potentially malicious requests and data.

4.5 Automation (Optional)

No automation script is provided as it depends on your environment.

5. Verification / Validation

• Post-fix check: Verify that requests to protected URLs are now handled by OHS and subject to mod_access rules.
• Re-test: Re-run the earlier detection method (attempting to bypass access controls through the web cache) to confirm it no longer works.
• Monitoring: Monitor OHS access logs for any unexpected patterns or attempts to bypass access controls. For example, look for failed requests to protected URLs.

httpd -v

6. Preventive Measures and Monitoring

Update security baselines and implement checks in your CI/CD pipelines.

• Baselines: Update your OHS security baseline or policy to include the ‘UseWebCacheIP’ setting.
• Asset and patch process: Implement a regular patch review cycle for all systems, including Oracle Application Server components.

7. Risks, Side Effects, and Roll Back

Enabling ‘UseWebCacheIP’ may have performance implications depending on your environment.

• Roll back: Restore the backed-up httpd.conf file and restart OHS.

8. References and Resources

Links to official advisories and trusted documentation.

• Vendor advisory or bulletin: http://www.nessus.org/u?88bc18a1
• NVD or CVE entry: CVE-2005-1383
• Product or platform documentation relevant to the fix: https://seclists.org/bugtraq/2005/Apr/486