Open Source Vulnerability Database (OSVDB) Crash

These days, it is very often to suffer OSVDB crashing. Today, the crash even leak the detail of structure of the server. What happens?







What is OSVDB?

“Open Sourced Vulnerability Database (OSVDB) is an independent and open-sourced database. The goal of the project is to provide accurate, detailed, current, and unbiased technical information on security vulnerabilities. The project promotes greater, open collaboration between companies and individuals.

Its goal is to provide accurate, unbiased information about security vulnerabilities in computerized equipment. The core of OSVDB is a relational database which ties various information about security vulnerabilities into a common, cross-referenced open security data source. As of November, 2013, the database catalogs over 100,000 vulnerabilities.” (Wikipedia)


Oracle Access Manager Webserver Plugin Subcomponent Unspecified Remote DoS CVE-2014-2052

Exploit Title: Oracle Access Manager Webserver Plugin Subcomponent Unspecified Remote DoS
Product: Access Manager component in Oracle Fusion Middleware
Vendor:    Oracle
Vulnerable Versions:,,,,,, and
Advisory Publication: Apr 15, 2014
Latest Update:    Apr 15, 2014
Vulnerability Type: Uncontrolled Resource Consumption [CWE-400]
CVE Reference: CVE-2014-2452
Risk Level: Medium
CVSS v2 Base Score: 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) (legend)
Solution Status: Fixed by Vendor
Credit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]

Original advisory
Jing Wang has reported two vulnerabilities in Oracle Access Manager, which can be exploited by malicious users to disclose potentially sensitive information and cause a DoS (Denial of Service).

1) An unspecified error within the “WebGate” sub-component can be exploited to disclose certain Oracle Access Manager accessible data.

This vulnerability is reported in versions,,,,,, and

2) An unspecified error within the “Webserver Plugin” sub-component can be exploited to cause a hang or frequently repeatable crash of the application.

This vulnerability is reported in version

Extra information
Solution : Apply updates.
Reported by : Jing Wang.
Changelog : 2014-06-13: Updated “Description” section and credits. Added
one link to the “Original Advisory” section.
Reference original advisory : Oracle:

Vigilantes testing security of IT systems

SINGAPORE: Call them cybersecurity vigilantes if you will, or “white hats” – as they are known in the hacking world.

Mr Wang Jing and Mr Zhao Hainan are part of a growing group of individuals who are taking it upon themselves to test the security of information systems in organisations and report security flaws.

Earlier this month, Mr Zhao, 26, a National University of Singapore computer science postgraduate student, managed to hack into M1’s pre-order site for the iPhone 6 and 6 Plus to access personal data, including phone and NRIC numbers, as well as home addresses of the telco’s customers. He then alerted the company.

M1, which temporarily suspended all pre-orders to carry out an investigation, said it appreciated the fact that Mr Zhao, who was not identified in previous media reports, had taken the time to inform the firm about the potential security flaw and would not be taking any action against him.

Speaking to TODAY, Mr Zhao, a Singapore permanent resident, said his interest in hacking began after he had taken a module on website security. He added that he makes sure he does not break any laws and would report any vulnerabilities he discovered to website owners.

“I want to make the Internet a safer place. So, over the years, I will try to hack (into) a website when I feel interested in (it) … I also do it out of curiosity,” he said.

For Mr Wang, who is pursuing a PhD in mathematics at Nanyang Technological University’s School of Physical and Mathematical Sciences, testing websites for vulnerabilities is a hobby he started early this year.

After reading up on computer security, he tested some well-known social networking sites, as well as websites of banks here and other popular Singapore-based sites.

“I believe making the Web more secure is beneficial to users … I am happy to do something that is useful,” said Mr Wang, who is in his 20s.

Apart from individuals, there are also groups of cybersecurity watchdogs, including the 400-member Singapore Security Meetup Group.

Led by Infotect Security managing director Wong Onn Chee, the informal group comprises cybersecurity experts. They do not do penetration testing of websites, as this could potentially run afoul of laws if it is unauthorised.

Mr Wong said the group members have informed organisations when they came across websites using technology or carrying out transactions that were highly suspected to be vulnerable.

Mr Anthony Lim, a member of the Application Security Advisory Board at ISC2, a not-for-profit association for information security professionals, cautioned against individuals performing “ethical hacking”.

“We don’t want anonymous ‘superhero-wannabe’ types … running around loose in cyberspace trying to do good by quietly hacking into your system without your prior knowledge and approval … even if they don’t cause any damage or steal any data,” he said.


Oracle Access Manager ( CVE-2014-2452) contains an unspecified flaw related to the Webserver plugin subcomponent.


Oracle Access Manager contains an unspecified flaw related to the Webserver plugin subcomponent. This may allow an authenticated remote attacker to cause a denial of service. No further details have been provided by the vendor.
Location: Remote / Network Access
Attack Type: Attack Type Unknown
Impact: Loss of Availability
Solution: Patch / RCS
Exploit: Exploit Unknown
Disclosure: Vendor Verified

Reporter:Wang Jing

Known Affiliations: