近期安全扫描发现数据库服务器主机存在端口8888暴露风险, 使用http访问该端口是Oracle Containers for J2EE (OC4J)的页面, OC4J是经过J2EE认证的应用程序服务器,提供JSP, EJB, Servlet等程序支持, 在主机上查看用户进程可以确认一个JVM的OC4J进程,是Oracle CRS自带的资源ora.oc4j调用。通常对于数据库没有什么用途,可以停止该服务。 环境ORACLE 11.2.0.3.7 RAC ON AIX 6.1 .
# 访问
http://server:8888
Oracle Containers for J2EE (OC4J)
# 端口
anbob:/# netstat -aAn|grep 8888 f1000e00014babb8 tcp 0 0 *.8888 *.* LISTEN
anbob:/# netstat -aAn|grep 23792
f1000e0039e073b8 tcp 0 0 *.23792 *.* LISTEN
# 查找占用端口的进程
因机器上没有lsof 工具,这里使用kdb
anbob:/# kdb
START END
0000000000001000 0000000004160000 start+000FD8
F00000002FF47600 F00000002FFDF9C8 __ublock+000000
000000002FF22FF4 000000002FF22FF8 environ+000000
000000002FF22FF8 000000002FF22FFC errno+000000
F1000F0A00000000 F1000F0A10000000 pvproc+000000
F1000F0A10000000 F1000F0A18000000 pvthread+000000
read vscsi_scsi_ptrs OK, ptr = 0x0
(0)> sockinfo f1000e00014babb8 tcpcb
...
(0)> more (^C to quit) ?
proc/fd: fd: 202
SLOT NAME STATE PID PPID ADSPACE CL #THS
pvproc+358C00 3427*java ACTIVE 163039A 0000001 00000005E3BDE590 0 005F
(0)> hcal 163039A
Value hexa: 0163039A Value decimal: 23266202 23792端口一下的方法,不再演示,同样为23266202进程
# 确认进程
oracle@anbob:/home/oracle> ps -ef|grep 23266202
oracle 32965264 13435746 0 15:58:26 pts/3 0:00 grep 23266202
grid 23266202 1 0 Dec 22 - 39:03 /oracle/app/11.2.0.3/grid/jdk/jre//bin/java -d64 -server -Xms128M -Xmx384M -Djava.awt.headless=true -Ddisable.checkForUpdate=true -Dstdstream.filesize=100 -Dstdstream.filenumber=10 -DTRACING.ENABLED=false -Doracle.wlm.dbwlmlogger.logging.level=INFO -Dport.rmi=23792 -jar /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/oc4j.jar -config /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/OC4J_DBWLM_config/server.xml -out /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/log/oc4j.out -err /oracle/app/11.2.0.3/grid/oc4j/j2ee/home/log/oc4j.err
grid@anbob:> srvctl config oc4j
OC4J is configured to run on port number 23792
root@anbob[/]#crsctl stat res ora.oc4j -p
NAME=ora.oc4j
TYPE=ora.oc4j.type
ACL=owner:grid:rwx,pgrp:oinstall:rwx,other::r--
ACTION_FAILURE_TEMPLATE=
ACTION_SCRIPT=%CRS_HOME%/bin/oc4jctl%CRS_SCRIPT_SUFFIX%
ACTIVE_PLACEMENT=1
AGENT_FILENAME=%CRS_HOME%/bin/scriptagent
AUTO_START=restore
CARDINALITY=1
CHECK_INTERVAL=60
DEFAULT_TEMPLATE=
DEGREE=1
DESCRIPTION=Oracle OC4J resource
ENABLED=1
FAILOVER_DELAY=0
FAILURE_INTERVAL=3600
FAILURE_THRESHOLD=2
HOSTING_MEMBERS=
LOAD=1
LOGGING_LEVEL=1
NLS_LANG=
NOT_RESTARTING_TEMPLATE=
OFFLINE_CHECK_INTERVAL=0
PLACEMENT=balanced PORT=23792 PROFILE_CHANGE_TEMPLATE=
RESTART_ATTEMPTS=1
SCRIPT_TIMEOUT=60
SERVER_POOLS=*
START_DEPENDENCIES=
START_TIMEOUT=300
STATE_CHANGE_TEMPLATE=
STOP_DEPENDENCIES=
STOP_TIMEOUT=120
TYPE_VERSION=1.1
UPTIME_THRESHOLD=1d
USR_ORA_ENV=
VERSION=11.2.0.3.0
By default, OC4J has a Web server configured to listen for HTTP requests at port 8888; you can change the port by editing default-web-site.xml. The oc4j_ormi_port defaults to 23791 , Note in the case port was 23792.
在MOS中Security Vulnerability Scan detects Exposed Port on ora.oc4j Resource (文档 ID 1922349.1)记录存在一个类似端口的bug, 提示在11.2.0.3.4后fixed, 该日志没有提到8888端口。
关闭oc4j resource,可以停止该服务和端口。
-- 停止OC4J资源
srvctl stop oc4j
-- 禁用OC4J服务
srvctl disable oc4j
# 恢复该资源
srvctl enable oc4j
srvctl start oc4j
— over–