ArcGIS Server 10.7.1 - Unauthorized SQL Query Execution

887
4
02-08-2021 08:51 AM
JasonFitzsimmons
Occasional Contributor

A security scan of an application I maintain that uses several ArcGIS 10.7.1 map services (hosted with stand alone ArcGIS Server, not Enterprise, on AWS server, with IIS as web server) produced this warning for all of the map services:

Oracle Application Server PL/SQL Unauthorized SQL Query Execution
It is possible to view, modify or delete database entries and tables.

 

I should note that we do not use Oracle dbs in this application (or anywhere in my org). I assume this warning has to do with Server's configuration and Apache Tomcat.

The report suggests this to remediate:
Block unauthenticated PUBLIC access to PL/SQL procedures and applications by adding the following rule to the file "$ORACLE_HOME$\Apache\modplsql\cfg\wdbsvr.app":

exclusion_list= account*, sys.*, dbms_*, owa*

 

Has anyone encountered this problem? I have never modified any internal configuration to ArcGIS Server.

 

0 Kudos
4 Replies
George_Thompson
Esri Frequent Contributor

I know that is you are not careful with removing PUBLIC from the Oracle database (and its users) it could cause some erratic behavior. Here is a FAQ related to Can the execute privilege be removed from public on Oracle packages? 

If you have other questions, you can also visit Trust | ArcGIS or work with Technical Support (recommended).

--- George T.
0 Kudos
JasonFitzsimmons
Occasional Contributor

hi and thanks

 

I should mention, we do not use Oracle database in this application. I assume that the error is related to Server and Apache Tomcat

0 Kudos
George_Thompson
Esri Frequent Contributor

Ah, ok. Sorry I missed that part, the DB guy inside me.

I would reach out to Esri Technical support on this.

--- George T.
0 Kudos
JasonFitzsimmons
Occasional Contributor

According to Esri security support, this is a false positive:

 

Without additional information to indicate otherwise, this is a false positive as indicated in the application response.

AppScan only reads the http 200 response code without validating the actual response body that indicates that the request is unsuccessful because the URL requested is invalid – that file doesn’t exist on the server.

Without additional information to indicate otherwise, this is a false positive as indicated in the application response.

AppScan only reads the http 200 response code without validating the actual response body that indicates that the request is unsuccessful because the URL requested is invalid – that file doesn’t exist on the server.

https://community.esri.com/t5/arcgis-enterprise-questions/owa-util-signature/td-p/655594

0 Kudos