Announcement

Collapse
No announcement yet.

6.3 Open Proxy -- Security Issue

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • 6.3 Open Proxy -- Security Issue

    All,

    Over the past weekend, we discovered that there could be a possible security issue with OTM 6.3.x. We started to notice on one of our sites that our Oracle HTTP server logs were filling up at a unusually high rate.

    After some digging around I found out that in the otm.conf there is a property ProxyRequests On. This property enables the server to act as a public proxy. I tried to turn this off but the issue is still happening. I have opened an Oracle SR but haven't made any process in over 2 weeks with them.

    Nick
    If my post was helpful please click on the Thanks! button

    MavenWire Hosting Admin
    15 years of OTM experience

  • #2
    Re: 6.3 Open Proxy -- Security Issue

    Oracle has responded and everyone should remove the ProxyRequests On from their otm.conf file, then restart their Oracle HTTP server.

    You can test this but doing the following:

    http_proxy=http://yourotminstance.com wget Oracle Corporation - Wikipedia, the free encyclopedia if you get a 404 error the OpenProxy is disabled. If it goes through and grabs the file, it isn't and you have a security issue.

    You will still continue to have requests if you have been made aware by the public internet as an open proxy but hopefully some time will go by and it will stop. There isn't much you can do except block all traffic at the firewall level and allow just the range you want. I'm sure our http access logs will be filling up for a while.

    I had this change made but I didn't know how to test if it was working. Thanks to Oracle for the assistance.

    Nick
    If my post was helpful please click on the Thanks! button

    MavenWire Hosting Admin
    15 years of OTM experience

    Comment


    • #3
      Re: 6.3 Open Proxy -- Security Issue

      Hi Nick,

      Thank you for the above information. and i would like to ask you if this issue had any impact on e-mail notifications.

      Also, is there any change on SMTP setup for OTM 6.3.1? Because on a newly installed 6.3.1 instance i'm facing a weird issue wherein the logs tell 'e-mail is triggered', 'workflow completed' & 'notify contact - done' but actually no e-mail has been received so far. I've the below properties configured., If you could check and guide me through this issue it would be very helpful.

      glog.mail.smtp.host=xxx.com

      glog.workflow.notify.defaultSmtphost=xxx.com

      glog.workflow.notify.advisor.name=G-Log Advisor

      glog.workflow.notify.advisor.email=xxx.com

      --Regards
      --
      Regards
      Palaniappan Chithambaram

      ORACLE Certified OTM Implementation Specialist

      Comment


      • #4
        Re: 6.3 Open Proxy -- Security Issue

        Originally posted by cusert View Post
        Hi Nick,

        Thank you for the above information. and i would like to ask you if this issue had any impact on e-mail notifications.

        Also, is there any change on SMTP setup for OTM 6.3.1? Because on a newly installed 6.3.1 instance i'm facing a weird issue wherein the logs tell 'e-mail is triggered', 'workflow completed' & 'notify contact - done' but actually no e-mail has been received so far. I've the below properties configured., If you could check and guide me through this issue it would be very helpful.

        glog.mail.smtp.host=xxx.com

        glog.workflow.notify.defaultSmtphost=xxx.com

        glog.workflow.notify.advisor.name=G-Log Advisor

        glog.workflow.notify.advisor.email=xxx.com

        --Regards
        I haven't heard of any issues. Could it be that your SMTP is blocking based off what you have in your glog.workflow.notify.advisor.email address? Is it the same as what you had in 6.2?

        Nick
        If my post was helpful please click on the Thanks! button

        MavenWire Hosting Admin
        15 years of OTM experience

        Comment


        • #5
          Re: 6.3 Open Proxy -- Security Issue

          Really to know how the smtp is working ..

          Comment

          Working...
          X