首页 » ORACLE 9i-23ai » 安全扫描端口 8888风险 和ora.oc4j resource in ORACLE 11g r2
安全扫描端口 8888风险 和ora.oc4j resource in ORACLE 11g r2
近期安全扫描发现数据库服务器主机存在端口8888暴露风险, 使用http访问该端口是Oracle Containers for J2EE (OC4J)的页面, OC4J是经过J2EE认证的应用程序服务器,提供JSP, EJB, Servlet等程序支持, 在主机上查看用户进程可以确认一个JVM的OC4J进程,是Oracle CRS自带的资源ora.oc4j调用。通常对于数据库没有什么用途,可以停止该服务。 环境ORACLE 11.2.0.3.7 RAC ON AIX 6.1 .
# 访问
http://server:8888
Oracle Containers for J2EE (OC4J)
# 端口
anbob:/# netstat -aAn|grep 8888
f1000e00014babb8 tcp 0 0 *.8888 *.* LISTEN
anbob:/# netstat -aAn|grep 23792
f1000e0039e073b8 tcp 0 0 *.23792 *.* LISTEN
# 查找占用端口的进程
因机器上没有lsof 工具,这里使用kdb
anbob:/# kdb
START END
0000000000001000 0000000004160000 start+000FD8
F00000002FF47600 F00000002FFDF9C8 __ublock+000000
000000002FF22FF4 000000002FF22FF8 environ+000000
000000002FF22FF8 000000002FF22FFC errno+000000
F1000F0A00000000 F1000F0A10000000 pvproc+000000
F1000F0A10000000 F1000F0A18000000 pvthread+000000
read vscsi_scsi_ptrs OK, ptr = 0x0
(0)> sockinfo f1000e00014babb8 tcpcb
...
(0)> more (^C to quit) ?
proc/fd: fd: 202
SLOT NAME STATE PID PPID ADSPACE CL #THS
pvproc+358C00 3427*java ACTIVE 163039A 0000001 00000005E3BDE590 0 005F
(0)> hcal 163039A
Value hexa: 0163039A Value decimal: 23266202
23792端口一下的方法,不再演示,同样为23266202进程
# 确认进程
oracle@anbob:/home/oracle> ps -ef|grep 23266202
oracle 32965264 13435746 0 15:58:26 pts/3 0:00 grep 23266202
grid 23266202 1 0 Dec 22 - 39:03 /oracle/app/11.2.0.3/grid/jdk/jre//bin/java -d64 -server -Xms128M -Xmx384M -Djava.awt.headless=true -Ddisable.checkForUpdate=true -Dstdstream.filesize=100 -Dstdstream.filenumber=10 -DTRACING.ENABLED=false -Doracle.wlm.dbwlmlogger.logging.level=INFO -Dport.rmi=23792 -jar /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/oc4j.jar -config /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/OC4J_DBWLM_config/server.xml -out /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/log/oc4j.out -err /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/log/oc4j.err
grid@anbob:> srvctl config oc4j
OC4J is configured to run on port number 23792
root@anbob[/]#crsctl stat res ora.oc4j -p
NAME=ora.oc4j
TYPE=ora.oc4j.type
ACL=owner:grid:rwx,pgrp:oinstall:rwx,other::r--
ACTION_FAILURE_TEMPLATE=
ACTION_SCRIPT=%CRS_HOME%/bin/oc4jctl%CRS_SCRIPT_SUFFIX%
ACTIVE_PLACEMENT=1
AGENT_FILENAME=%CRS_HOME%/bin/scriptagent
AUTO_START=restore
CARDINALITY=1
CHECK_INTERVAL=60
DEFAULT_TEMPLATE=
DEGREE=1
DESCRIPTION=Oracle OC4J resource
ENABLED=1
FAILOVER_DELAY=0
FAILURE_INTERVAL=3600
FAILURE_THRESHOLD=2
HOSTING_MEMBERS=
LOAD=1
LOGGING_LEVEL=1
NLS_LANG=
NOT_RESTARTING_TEMPLATE=
OFFLINE_CHECK_INTERVAL=0
PLACEMENT=balanced
PORT=23792
PROFILE_CHANGE_TEMPLATE=
RESTART_ATTEMPTS=1
SCRIPT_TIMEOUT=60
SERVER_POOLS=*
START_DEPENDENCIES=
START_TIMEOUT=300
STATE_CHANGE_TEMPLATE=
STOP_DEPENDENCIES=
STOP_TIMEOUT=120
TYPE_VERSION=1.1
UPTIME_THRESHOLD=1d
USR_ORA_ENV=
VERSION=11.2.0.3.0
By default, OC4J has a Web server configured to listen for HTTP requests at port 8888; you can change the port by editing default-web-site.xml. The oc4j_ormi_port defaults to 23791 , Note in the case port was 23792.
在MOS中Security Vulnerability Scan detects Exposed Port on ora.oc4j Resource (文档 ID 1922349.1)记录存在一个类似端口的bug, 提示在11.2.0.3.4后fixed, 该日志没有提到8888端口。
关闭oc4j resource,可以停止该服务和端口。
-- 停止OC4J资源 srvctl stop oc4j -- 禁用OC4J服务 srvctl disable oc4j # 恢复该资源 srvctl enable oc4j srvctl start oc4j
— over–
对不起,这篇文章暂时关闭评论。