Executive Summary

Summary
Title Oracle Weblogic Apache connector vulnerable to buffer overflow
Informations
Name VU#716387 First vendor Publication 2008-07-29
Vendor VU-CERT Last vendor Modification 2008-08-06
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#716387

Oracle Weblogic Apache connector vulnerable to buffer overflow

Overview

Oracle Weblogic (formerly BEA Weblogic) contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Oracle Weblogic Server and Weblogic Express applicaiton servers can be integrated with the Apache webserver using the Weblogic Apache connector plugin (mod_wl). A buffer overflow exists in Weblogic Server and Weblogic Express due to the way that the Apache connector plugin handles specially crafted POST requests. According to Oracle Security Advisory for CVE-2008-3257:

    The following versions of WebLogic Server and WebLogic Express are affected by this vulnerability

    Apache Plug-ins dated prior to July 28 2008 which implies:

      • WebLogic Server 10.0 released through Maintenance Pack 1, on all platforms
      • WebLogic Server 9.2 released through Maintenance Pack 3, on all platforms
      • WebLogic Server 9.1 on all platforms
      • WebLogic Server 9.0 on all platforms
      • WebLogic Server 8.1 released through Service Pack 6, on all platforms
      • WebLogic Server 7.0 released through Service Pack 7 on all platforms
      • WebLogic Server 6.1 released through Service Pack 7 on all platforms

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.

III. Solution

Apply a patch

Patches have been released to address this issue. Refer to Oracle Security Advisory for CVE-2008-3257 for more information.
Reconfigure Apache

According to Oracle Security Advisory for CVE-2008-3257:

    It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:

    LimitRequestLine 4000

Install the mod_security module

Oracle suggests installing the mod_security module, which is available in open source from http://www.modsecurity.org/.

More information about these workarounds is provided in Oracle Security Advisory for CVE-2008-3257.

Systems Affected

VendorStatusDate Updated
Oracle CorporationVulnerable29-Jul-2008

References


https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html
http://secunia.com/advisories/31146/
http://milw0rm.com/exploits/6089
http://www.modsecurity.org/

Credit

This vulnerabilty was reported by KingCope.

This document was written by Chris Taschner.

Other Information

Date Public07/21/2008
Date First Published07/29/2008 02:30:34 PM
Date Last Updated08/06/2008
CERT Advisory 
CVE-ID(s)CVE-2008-3257
NVD-ID(s)CVE-2008-3257
US-CERT Technical Alerts 
Metric17.32
Document Revision8

Original Source

Url : http://www.kb.cert.org/vuls/id/716387

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 69
Application 1
Application 1
Application 118

SAINT Exploits

Description Link
Oracle WebLogic Server Apache Connector POST buffer overflow More info here

Open Source Vulnerability Database (OSVDB)

Id Description
47096 Oracle Weblogic Apache Connector POST Request Overflow

A remote overflow exists in the BEA Weblogic Apache Connector. The connector fails to properly handle overly long HTTP POST requests resulting in a buffer overflow. With a specially crafted request, an attacker can cause the server to crash and potentially execute arbitrary code.

Snort® IPS/IDS

Date Description
2017-12-19 Citrix XenApp and XenDesktop XML service memory corruption attempt
RuleID : 44877 - Revision : 2 - Type : SERVER-OTHER
2014-03-06 Oracle WebLogic Apache Connector buffer overflow attempt
RuleID : 29523 - Revision : 2 - Type : SERVER-APACHE
2014-01-10 Oracle WebLogic Apache Connector buffer overflow attempt
RuleID : 18283 - Revision : 6 - Type : SERVER-APACHE
2014-01-10 Oracle WebLogic Apache Connector buffer overflow attempt
RuleID : 15511 - Revision : 9 - Type : SERVER-APACHE

Nessus® Vulnerability Scanner

Date Description
2008-08-18 Name : The remote web server uses a module that is affected by a buffer overflow vul...
File : weblogic_mod_wl_overflow.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:08:08
  • Multiple Updates