Web Cache Bug Threatens Oracle9iAS

The Oracle9i Application Server (Oracle9iAS), Oracle Corp.’s newest version of its flagship database, launched earlier in October, has not been without its supporters.

And today the product for e-businesses, which boasts a patented cache-fusion cluster technology aimed at producing linear scalability and reliability by quickly sharing frequently accessed data across all the servers in a cluster, got its first tried and tested accolade.

Oracle reports that Rentals, Inc., a provider of Web-hosted rental management software has achieved rapid migration of its online property management application to J2EE using Oracle9iAS and its cache capabilities.

Rentals was able to complete the development, deployment and testing of key components of their application to J2EE in one month, a task that the company initially anticipated would take a minimum of four months.

“With Oracle9iAS and its built-in Web caching, we were able to triple the peak capacity of our Web site to 600,000 thousand pages per day right out of the box,” says John Perkins, Rental’s vice president of Engineering.

But while Rentals enjoys improved J2EE performance and the benefits provided by the much touted built-in caching in Oracle9iAS, the discovery of a serious bug could curtail the integrated Web Cache’s glorious moment.

Reports from CERT Coordination Center Software Engineering Institute Carnegie Mellon University (CERT/CC), today exposed a remotely exploitable buffer overflow in the Oracle9iAS Web Cache which allows intruders to execute arbitrary code or disrupt the normal operation of Web Cache.

Description Defcom Labs has discovered the vulnerability in the Oracle9iAS Web Cache (on all platforms). The Oracle9iAS Web Cache provides four web services that are all vulnerable and enabled by default when the software is installed, found Defcom.

Additionally, it was found that an intruder might be able to intercept and/or modify sensitive data such as credentials and other types of sensitive information passing through the host running Web Cache.

Finally, an intruder could also gain access to other systems by using Web Cache as an entry point into the network or by leveraging an existing trust relationship between Web Cache and another system.

Unfortuantely, Oracle could not be reached today for comment about the reported bug or its implications.

News Around the Web