Wednesday, July 30, 2008

Severe Vulnerability In Oracle WebLogic Server

There has been found a critical vulnerability in Oracle WebLogic Server (known previously as BEA WebLogic Server).

With a specifically crafted HTTP POST call an attacker can cause a buffer overflow in WebLogic component (mod_weblogic) made for Apache. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password.

Vulnerability affects all platforms. Servers which use Apache mod_security module are not vulnerable. Vulnerable WebLogic Server and WebLogic Express versions are:
- WebLogic Server 10.0 Maintenance Pack 1 and earlier versions
- WebLogic Server 9.2 Maintenance Pack 3 and earlier versions
- WebLogic Server 9.1 and earlier versions
- WebLogic Server 9.0 and earlier versions
- WebLogic Server 8.1 Service Pack 6 and earlier versions
- WebLogic Server 7.0 Service Pack 7 and earlier versions
- WebLogic Server 6.1 Service Pack 7 and earlier versions


Oracle has promised to provide a fix before its next quarterly released CPU (critical patch update) in October. Until the fix is released Oracle recommends limiting maximum URL length to 4000 bytes. Another way is to enable Apache mod_security module. More information can be read here.

No comments: