Oracle Weblogic Apache connector vulnerable to buffer overflow

Overview

Oracle Weblogic (formerly BEA Weblogic) contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Oracle Weblogic Server and Weblogic Express applicaiton servers can be integrated with the Apache webserver using the Weblogic Apache connector plugin (mod_wl). A buffer overflow exists in Weblogic Server and Weblogic Express due to the way that the Apache connector plugin handles specially crafted POST requests. According to Oracle Security Advisory for CVE-2008-3257:

The following versions of WebLogic Server and WebLogic Express are affected by this vulnerability

_ Apache Plug-ins dated prior to July 28 2008 which implies:_

    * _ WebLogic Server 10.0 released through Maintenance Pack 1, on all platforms_
    * _ WebLogic Server 9.2 released through Maintenance Pack 3, on all platforms_
    * _ WebLogic Server 9.1 on all platforms_
    * _ WebLogic Server 9.0 on all platforms_
    * _ WebLogic Server 8.1 released through Service Pack 6, on all platforms_
    * _ WebLogic Server 7.0 released through Service Pack 7 on all platforms_
    * _ WebLogic Server 6.1 released through Service Pack 7 on all platforms_  

---

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.

---

Solution

Apply a patchPatches have been released to address this issue. Refer to Oracle Security Advisory for CVE-2008-3257 for more information.

---

Reconfigure Apache

According to Oracle Security Advisory for CVE-2008-3257:

It is possible to configure Apache and avert this vulnerability by rejecting certain invalid requests. To do so, add the following parameter to the httpd.conf file and restart Apache:

_ LimitRequestLine 4000 _
Install the mod_security module

Oracle suggests installing the mod_security module, which is available in open source from <http://www.modsecurity.org/&gt;.

More information about these workarounds is provided in Oracle Security Advisory for CVE-2008-3257.

Vendor Information

716387

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Oracle Corporation __ Affected

Updated: July 29, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Refer to Oracle Security Advisory for CVE-2008-3257 for more information.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23716387 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html&gt;
• <http://secunia.com/advisories/31146/&gt;
• <http://milw0rm.com/exploits/6089&gt;
• <http://www.modsecurity.org/&gt;

Acknowledgements

This vulnerabilty was reported by KingCope.

This document was written by Chris Taschner.

Other Information

CVE IDs:	CVE-2008-3257
Severity Metric:	17.33 Date Public: