OHS must limit access to the Dynamic Monitoring Service (DMS).

From Oracle HTTP Server 12.1.3 Security Technical Implementation Guide

Associated with: CCI-000366

SV-79113r1_rule OHS must limit access to the Dynamic Monitoring Service (DMS).

Vulnerability discussion

The Oracle Dynamic Monitoring Service (DMS) enables application developers, support analysts, system administrators, and others to measure application specific performance information. If OHS allows any machine to connect and monitor performance, an attacker could connect and gather information that could be used to cause a DoS for OHS. Information that is shared could also be used to further an attack to other servers and devices through trusted relationships.

Check content

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//admin.conf in it with an editor. 2. Search for the "Allow" directive within the "" directive at the virtual host configuration scope. 3. If the "Allow" directive is set to "from all", this is a finding.

Fix text

1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS//admin.conf with an editor. 2. Search for the "Allow" directive within the "" virtual host configuration scope. 3. Set the "Allow" directive to "from 127.0.0.1".

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.