Saturday, November 8, 2008

Is your SOA suite is it secure?

I was trying to see if the servers we have is secure enough. What I wanted to know is that wether we were making some errors or the facts were not documented clearly enough. I did find the documentation regarding most problems in some document or the other, but is it clear for admins was the question.

So to find the answer I started looking for SOA suite available online.

Probably this notion would seem stupid why will anyone expose the SOA suite online, I thought that too. But I did an inurl:BPELConsole search and found atleast 10 websites that have their consoles being resulted in the search. Tried a few search engines including google.

The commonly known users are oc4jadmin, but what about bpeladmin and the default users. Nearly 80% of the sites did not have the passwords changed for the users. Could log in some of them seemed to be production sites others were testing sites.

Also a common error was the OWSM user admin with the password as oracle. Sadly most of these users were available to use.

I don't know how to contact the admins of these sites, anyone reading this blog please change the passwords. Go to the user management in the Application Server Console and remove all users that are not used or atleast change the passwords.

All sites had their oc4jadmin passwords changed but it's simply not good enough. Why were these consoles exposed to the internet I have no idea, I don't think it should be done.

Another probability is Denial Of Service attacks or brute force. I don't think (cannot confirm this though) the username for oc4jadmin can be changed. It makes brute force hack even simpler.

Is security still an aferthought for organizations !!! This scares me.

One of the sites I could log into. I have tried to remove all the information regarding who owns the site.


Nirav chhaya said...

Hiii Sashwat,

There are many reasons to keep your severs exposed on the internet. Being a middleware suite, it is frequently required to build the interfaces which are having endpoints on the internet.

You can think of the latest trends where customers prefer On-Demand or SaaS kind of services. Such kind of services are availed to their customers via internet. Therefore, these services requires to be consumed over the internet and also access your services that are of course :) on the internet.

Ideally, these servers should be secure in manner or services should have been exposed through registry/UDDI.

This is really an interesting topic. I would certainly like to know more and more about this.

sash said...

@Nirav chhaya
There should be a selective exposing of the interfaces, the interfaces in case of B2B and other such services makes sense but not exposing the server console. Say I am using an application server to deploy a web application, I would still prefer and it would be secure if I did not expose the application server console, but only the application. The same logic applies here :).