Nessus Vulnerability Scanner Reports Enterprise Manager Security Issues (Doc ID 1300674.1)

Last updated on NOVEMBER 02, 2016

Applies to:

Oracle Java CAPS Enterprise Service Bus - Version R6.2 and later
Information in this document applies to any platform.

Symptoms

Running Nessus Vulnerability Scanner version 4.4 against a Java CAPS 6.2 Enterprise Manager reports the following security issues:

' --- CGI Generic Injectable Parameter Weakness
Nessus was able to to inject innocuous strings into CGI parameters
and read them back in the HTTP response. The affected parameters are candidates for extended injection tests like cross-site scripting attacks. This is not a weakness per se; the main purpose of this test is to speed up other scripts. The results may be useful for a human pen-tester.

http://server:15000/manager/html/start?path=xxx
http://server:15000/manager/html/undeploy?path=xxx
http://server:15000/manager/html/reload?path=xxx
http://server:15000/manager/html/stop?path=xxx
http://server:15000/manager/html/sessions?path=xxx
http://server:15000/manager/html/deploy?deployWar=xxx

--- CGI Generic Cross-Site Scripting Vulnerability
The remote web server hosts CGI scripts that fail to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These XSS are likely to be 'non-persistent' or 'reflected'.

--- CGI Generic Cookie Injection Scripting
The remote web server hosts at least one CGI script that fails to adequately sanitize request strings with malicious JavaScript. By leveraging this issue, an attacker may be able to inject arbitrary cookies. Depending on the structure of the web application, it may be possible to launch a 'session fixation' attack using this mechanism.

--- Apache Tomcat Transfer-Encoding Header Vulnerability
The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of invalid values for the 'Transfer-Encoding' HTTP header as sent by a client.
Upgrade to version 5.5.30 / 6.0.28 or greater.
CVE-2010-2227
BID: 41544
Secunia: 39574

--- CGI Generic Persistent Cross-Site Scripting Vulnerability
The remote web server hosts one or more CGI scripts that fail to adequately sanitize request strings containing malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site. These issues are likely to be 'persistent' or 'stored', but this aspect should be checked manually. '

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms