安全扫描端口 8888风险 和ora.oc4j resource in ORACLE 11g r2

by

近期安全扫描发现数据库服务器主机存在端口8888暴露风险, 使用http访问该端口是Oracle Containers for J2EE (OC4J)的页面, OC4J是经过J2EE认证的应用程序服务器,提供JSP, EJB, Servlet等程序支持, 在主机上查看用户进程可以确认一个JVM的OC4J进程,是Oracle CRS自带的资源ora.oc4j调用。通常对于数据库没有什么用途,可以停止该服务。 环境ORACLE 11.2.0.3.7 RAC ON AIX 6.1 .

# 访问
http://server:8888  
Oracle Containers for J2EE (OC4J)

# 端口
anbob:/#  netstat  -aAn|grep 8888
f1000e00014babb8 tcp        0      0  *.8888                *.*                   LISTEN
anbob:/#  netstat  -aAn|grep 23792
f1000e0039e073b8 tcp        0      0  *.23792               *.*                   LISTEN

# 查找占用端口的进程
因机器上没有lsof 工具,这里使用kdb
anbob:/#  kdb
           START              END 
0000000000001000 0000000004160000 start+000FD8
F00000002FF47600 F00000002FFDF9C8 __ublock+000000
000000002FF22FF4 000000002FF22FF8 environ+000000
000000002FF22FF8 000000002FF22FFC errno+000000
F1000F0A00000000 F1000F0A10000000 pvproc+000000
F1000F0A10000000 F1000F0A18000000 pvthread+000000
read vscsi_scsi_ptrs OK, ptr = 0x0
(0)> sockinfo f1000e00014babb8 tcpcb
...
(0)> more (^C to quit) ? 
proc/fd: fd: 202               
              SLOT NAME     STATE      PID    PPID          ADSPACE  CL #THS
                               
pvproc+358C00 3427*java     ACTIVE 163039A 0000001 00000005E3BDE590   0 005F

(0)> hcal 163039A
Value hexa: 0163039A          Value decimal: 23266202

23792端口一下的方法,不再演示,同样为23266202进程
# 确认进程
oracle@anbob:/home/oracle> ps -ef|grep 23266202
  oracle 32965264 13435746   0 15:58:26  pts/3  0:00 grep 23266202
    grid 23266202        1   0   Dec 22      - 39:03 /oracle/app/11.2.0.3/grid/jdk/jre//bin/java -d64 -server -Xms128M -Xmx384M -Djava.awt.headless=true -Ddisable.checkForUpdate=true -Dstdstream.filesize=100 -Dstdstream.filenumber=10 -DTRACING.ENABLED=false -Doracle.wlm.dbwlmlogger.logging.level=INFO -Dport.rmi=23792 -jar /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/oc4j.jar -config /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/OC4J_DBWLM_config/server.xml -out /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/log/oc4j.out -err /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/log/oc4j.err

grid@anbob:> srvctl config oc4j
OC4J is configured to run on port number 23792

root@anbob[/]#crsctl stat res ora.oc4j -p
NAME=ora.oc4j
TYPE=ora.oc4j.type
ACL=owner:grid:rwx,pgrp:oinstall:rwx,other::r--
ACTION_FAILURE_TEMPLATE=
ACTION_SCRIPT=%CRS_HOME%/bin/oc4jctl%CRS_SCRIPT_SUFFIX%
ACTIVE_PLACEMENT=1
AGENT_FILENAME=%CRS_HOME%/bin/scriptagent
AUTO_START=restore
CARDINALITY=1
CHECK_INTERVAL=60
DEFAULT_TEMPLATE=
DEGREE=1
DESCRIPTION=Oracle OC4J resource
ENABLED=1
FAILOVER_DELAY=0
FAILURE_INTERVAL=3600
FAILURE_THRESHOLD=2
HOSTING_MEMBERS=
LOAD=1
LOGGING_LEVEL=1
NLS_LANG=
NOT_RESTARTING_TEMPLATE=
OFFLINE_CHECK_INTERVAL=0
PLACEMENT=balanced
PORT=23792
PROFILE_CHANGE_TEMPLATE=
RESTART_ATTEMPTS=1
SCRIPT_TIMEOUT=60
SERVER_POOLS=*
START_DEPENDENCIES=
START_TIMEOUT=300
STATE_CHANGE_TEMPLATE=
STOP_DEPENDENCIES=
STOP_TIMEOUT=120
TYPE_VERSION=1.1
UPTIME_THRESHOLD=1d
USR_ORA_ENV=
VERSION=11.2.0.3.0

By default, OC4J has a Web server configured to listen for HTTP requests at port 8888; you can change the port by editing default-web-site.xml. The oc4j_ormi_port defaults to 23791 , Note in the case port was 23792.

在MOS中Security Vulnerability Scan detects Exposed Port on ora.oc4j Resource (文档 ID 1922349.1)记录存在一个类似端口的bug, 提示在11.2.0.3.4后fixed, 该日志没有提到8888端口。

关闭oc4j resource,可以停止该服务和端口。

-- 停止OC4J资源
srvctl stop oc4j
-- 禁用OC4J服务
srvctl disable oc4j

# 恢复该资源
srvctl enable oc4j
srvctl start oc4j

— over–