Vulnerability Note VU#716387

Oracle Weblogic Apache connector vulnerable to buffer overflow

Original Release date: 29 Jul 2008 | Last revised: 06 Aug 2008

Overview

Oracle Weblogic (formerly BEA Weblogic) contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Oracle Weblogic Server and Weblogic Express applicaiton servers can be integrated with the Apache webserver using the Weblogic Apache connector plugin (mod_wl). A buffer overflow exists in Weblogic Server and Weblogic Express due to the way that the Apache connector plugin handles specially crafted POST requests. According to Oracle Security Advisory for CVE-2008-3257:

    The following versions of WebLogic Server and WebLogic Express are affected by this vulnerability

    Apache Plug-ins dated prior to July 28 2008 which implies:

      • WebLogic Server 10.0 released through Maintenance Pack 1, on all platforms
      • WebLogic Server 9.2 released through Maintenance Pack 3, on all platforms
      • WebLogic Server 9.1 on all platforms
      • WebLogic Server 9.0 on all platforms
      • WebLogic Server 8.1 released through Service Pack 6, on all platforms
      • WebLogic Server 7.0 released through Service Pack 7 on all platforms
      • WebLogic Server 6.1 released through Service Pack 7 on all platforms

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.

Solution

Apply a patch Patches have been released to address this issue. Refer to Oracle Security Advisory for CVE-2008-3257 for more information.

Reconfigure Apache

According to Oracle Security Advisory for CVE-2008-3257:

    It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:

    LimitRequestLine 4000

Install the mod_security module

Oracle suggests installing the mod_security module, which is available in open source from http://www.modsecurity.org/.

More information about these workarounds is provided in Oracle Security Advisory for CVE-2008-3257.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Oracle CorporationAffected-29 Jul 2008
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerabilty was reported by KingCope.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2008-3257
  • Date Public: 21 Jul 2008
  • Date First Published: 29 Jul 2008
  • Date Last Updated: 06 Aug 2008
  • Severity Metric: 17.32
  • Document Revision: 8

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.