How do I fix Oracle Apache Trace and Track vulnerability?
618326Jan 14 2009 — edited Jan 31 2010Hi All,
After a vulnerability scan of our Oracle 10g (10.1.2.0.2) OID & Portal environments and Oracle 6i (9.0.2.2) Forms & Reports machines, I found a vulnerability with Trace & Track (http://www.kb.cert.org/vuls/id/867593) on these machines. The proposed fix for Apache is as follows:
------
Apache HTTP Server
To disable HTTP TRACE support, set TraceEnable Off.
Alternatively, use the Apache mod_rewrite module to deny HTTP TRACE requests or to permit only the methods needed to meet site requirements and policy. TRACE requests can be disabled with the following mod_rewrite syntax:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
------
However, this did not resolve the vulnerability. I realize that Oracle has modified Apache and so a non-standard approach may be required. Does anyone know of a fix for either version of Oracle (10g or 6i)?
Thanks in advance!
Sunil