By default, the /ows-bin/ directory allows execution of CGI scripts. The Oracle Web Listener will execute batch files as CGI scripts. By making a request to a batch file in ows-bin that requires one or more arguments, it is possible for a knowledgeable and malicious user to execute arbitrary commands. This bug was originally reported by Cerberus Information Security .
Workarounds for Releases Prior to 18.104.22.168