search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Oracle Weblogic Apache connector vulnerable to buffer overflow

Vulnerability Note VU#716387

Original Release Date: 2008-07-29 | Last Revised: 2008-08-06

Overview

Oracle Weblogic (formerly BEA Weblogic) contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Oracle Weblogic Server and Weblogic Express applicaiton servers can be integrated with the Apache webserver using the Weblogic Apache connector plugin (mod_wl). A buffer overflow exists in Weblogic Server and Weblogic Express due to the way that the Apache connector plugin handles specially crafted POST requests. According to Oracle Security Advisory for CVE-2008-3257:


    The following versions of WebLogic Server and WebLogic Express are affected by this vulnerability

    Apache Plug-ins dated prior to July 28 2008 which implies:
        • WebLogic Server 10.0 released through Maintenance Pack 1, on all platforms
        • WebLogic Server 9.2 released through Maintenance Pack 3, on all platforms
        • WebLogic Server 9.1 on all platforms
        • WebLogic Server 9.0 on all platforms
        • WebLogic Server 8.1 released through Service Pack 6, on all platforms
        • WebLogic Server 7.0 released through Service Pack 7 on all platforms
        • WebLogic Server 6.1 released through Service Pack 7 on all platforms

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.

Solution

Apply a patchPatches have been released to address this issue. Refer to Oracle Security Advisory for CVE-2008-3257 for more information.

Reconfigure Apache

According to Oracle Security Advisory for CVE-2008-3257:

    It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:

    LimitRequestLine 4000

Install the mod_security module

Oracle suggests installing the mod_security module, which is available in open source from http://www.modsecurity.org/.

More information about these workarounds is provided in Oracle Security Advisory for CVE-2008-3257.

Vendor Information

716387
 
Affected   Unknown   Unaffected

Oracle Corporation

Updated:  July 29, 2008

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Oracle Security Advisory for CVE-2008-3257 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerabilty was reported by KingCope.

This document was written by Chris Taschner.

Other Information

CVE IDs: CVE-2008-3257
Severity Metric: 17.33
Date Public: 2008-07-21
Date First Published: 2008-07-29
Date Last Updated: 2008-08-06 16:48 UTC
Document Revision: 8

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.