It has been a long time since a new version of OHS has come out. The previous OHS versions based on Apache 1.3 and 2.0 were a little tired. The web server is your front door. Let's see how the security of the new OHS version based on Apache 2.2.10 stacks up. This first look was based on installing the web tier configuration on Linux.
| Apache Version - The latest release is based on Apache 2.2.10, which is a very recent version. It looks like Oracle included a fix for a vulnerability in mod_status that Apache fixed in 2.2.11. |  |
| Where is mod_security? -The doc says version 2.5.9 is included in the distribution. However, if you check you will see the module is not there. The previous versions of OHS distributed an old version of mod_security (1.84), which was still very usable. We used mod_security to setup filtering rules including a rule that stopped an XSS vulnerability in OBIEE. We opened an SR and Oracle replied that mod_security would not be distributed with FWM 11g. Integrating the open source version is not supported, so if you were using this module you are out of luck. |  |
| Conf file macros - The httpd.conf file uses macros to set the Oracle Home directory for directives such as the DocumentRoot. This means other tools cannot understand the format. We always used the .apachectl configtest option to verify the config before restarting OHS. This no longer works with the macro format. The macro option is not a bad choice, but why not go with mod_macro? |  |
| Compile options - Oracle compiled a minimum number of modules in the distribution. It's basically just the core modules and two Oracle specific modules, odl_log and ora_audit. You can see the list with the command httpd.worker -l. This gives you the option to disable modules that are not needed for the intended use. Oracle also compiled with the threaded MPM worker by default, unlike the previous OHS 2.0 version that required OPMN changes to enable threads. | |
| Wildcard include - The httpd.conf uses a wildcard to include conf files from the moduleconf sub-directory. This is really a bad idea. If someone inserts a bad conf file into the moduleconf sub-directory then the next time the OHS server restarts it will pick up this file and use it. The configuration files that are used should be explicitly named. | |
| Server Signature - The config directives were set more securely with the addition of ServerTokens Prod and ServerSignature off. | |
| cgi-bin - The printenv and test-cgi scripts are still being distributed in the cgi-bin directory. In addition, the cgi-bin directory is uncommented in the httpd.conf file. The only thing preventing execution of these scripts is setting execute permission on the file. These files should not be included in the distribution. | |
| Logging - The default logging is ODL style with an option to switch to standard Apache logging. Using ODL logging can limit the options for using third party analysis tools. This just does not look like it adds real value. The XML style logs just seem to add more overhead. | |
Is ServerTokens None supported. This was added in Oracle's Apache 2.0 distribution and hopefully not dropped like mod_security.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteThe documentation does not list this as an option, but if you use the value None then you get a Server: token header with no value, so it seems to work fine. I did a Google search for this and found references to the IOUG presentation from 2009 (http://www.slideshare.net/SecureDBA/2009706sheehanmulreanyppr). I also found a security assessment that Oracle did on 10.1.2 in 2007 (http://www.oracle.com/technology/deploy/security/seceval/pdf/OHS_10gR2_ecd_09.pdf) against the Common Criteria standard (http://www.commoncriteriaportal.org/). The Oracle document stated to set ServerTokens None.
ReplyDelete