Skip to Main Content
Feature Request FR-4322
Product Area Security
Status CLOSED

1 Voters

Security enhancement: Address Information Disclosure

igor.duca Public · Mar 7 2025

Idea Summary
APEX renders information about the used software version. The information can be used by attackers to narrow down further possible attack vectors. Examples are version information and detailed error messages. While this does not lead to an immediate security problem, it violates the security best practice of only exposing information that is required on the client side. 

Other Software like Apache can hide its version using the “ServerSignature Off” setting.

Use Case

Chrome inspector shows the following information on an APEX page: 

var apex = {env: {APP_USER: "name@email.com",APP_ID: "100",APP_PAGE_ID: "201",APP_SESSION: "123456789",APP_FILES: "r\…\…\…\…\…\…",WORKSPACE_FILES: "r\…\…\…\…\…",APEX_VERSION: "24.2.2",APEX_BASE_VERSION: "24.2",COMPATIBILITY_MODE: 21.2,NONCE: "5Xd_RPiQWBn8vhME_8_h5A"},
libVersions:{cropperJs:"1.6.2",domPurify:"3.1.6",fontapex:"2.4",fullcalendar:"6.1.15",hammer:"2.0.8",jquery:"3.6.4",jqueryUi:"1.13.2",maplibre:"4.6.0",mapboxGlRtlText:"0.3.0",markedJs:"14.1.2",prismJs:"1.29.0",oraclejet:"17.0.2",turndown:"7.2.0",monacoEditor:"0.51.0",lessJs:"4.2.0"}};
 

During the recent security assessment this has been identified as Information Disclosure (LOW) Finding.

Preferred Solution (Optional)
Offer an application setting to hide the information about the software version.

We reviewed this idea carefully, and while it was interesting, we concluded that it is unlikely to make its way into APEX in the foreseeable future.

Comments

Comments

  • jayson hanes Admin OP 4 days ago

    Per our APEX Security team (Edited down a bit)

    For an off-the-shelf product like APEX, you can easily identify the version. Just download from oracle.com and compare the JS files of the download with those of a site (either string compare or hash compare).

    The comparison with Apache is invalid, because the only files shipped with Apache that get returned are static error html files and these do not change between versions.

  • igor.duca OP 4 days ago

    When it comes to security nothing is absolutely secure — it’s all about how much effort is required to break it. Why should the product version and the version of the 3rd party library be listed?  

    For instance in the APEX 24.2 the version of domPurify 3.1.6 library has a known (new) CVE with Medium Severity: https://www.cve.org/CVERecord?id=CVE-2025-26791