Apply a PatchWhen available, apply the appropriate patch. Oracle typically releases Security Alerts that include patch information.Restrict AccessThe report from NGSSoftware recommends “ensuring that the administration pages for the PL/SQL module have been protected.” This implies that the vulnerability lies in the HTML administration interface for the PL/SQL module, which would be similar to a previously announced vulnerability [VU#659043]. In the default configuration, the administration pages are available to anyone who is able to access to the web server [VU#611776].Access to the PL/SQL gateway administration web pages can be restricted by specifying authorized user names and connect strings or an administrative Database Access Descriptor (DAD) in the PL/SQL gateway configuration file, /Apache/modplsql/cfg/wdbsvr.app. For more information, read the section titled Using the PL/SQL Gateway in the Oracle iAS documentation for the Oracle HTTP Server powered by Apache.Disable Unnecessary ServicesIf this vulnerability is in the PL/SQL HTTP administration interface, it may be possible to disable the HTTP interface and make configuration changes to the PL/SQL module by modifying the configuration file directly.Disable the PL/SQL service (modplsql or mod_plsql in Apache).Use Least PrivilegeRun Oracle Application Server under a user account with the least privilege possible. Note that this workaround will not prevent exploitation, but may limit the impact of an attack.