CERT-In Vulnerability Note CIVN-2008-114
Oracle Weblogic Apache Connector Buffer Overflow Vulnerability
Original Issue Date:
July 31, 2008
Severity Rating:
High
System Affected
- Oracle WebLogic Server 10.0 released through Maintenance Pack 1
- Oracle WebLogic Server 9.0, 9.1, 9.2 released through Maintenance Pack 3
- Oracle WebLogic Server 8.1 released through Service Pack 6
- Oracle WebLogic Server 7.0 released through Service Pack 7
- Oracle WebLogic Server 6.1 released through Service Pack 7
Overview
A vulnerability has been reported in the Apache Connector of the Oracle WebLogic Server (formerly BEA WebLogic Server), which could be exploited by a remote attacker to cause execution of arbitrary code and thereby Denial of Service attack.
Description
A Buffer overflow vulnerability has been reported in the Apache Connector of the Oracle WebLogic Server, due to improper bounds checking by the Apache Connector. This vulnerability in mod_weblogic can be exploited by remote attacker by sending a specially crafted HTTP POST request to execute arbitrary code on the target system with the privileges of the target service.
Workaround
Vendor Information
Oracle
http://www.oracle.com/technology/deploy/security/critical
-patch-updates/cpujul2008.html
References
SecurityTracker http://securitytracker.com/alerts/2008/Jul/1020520.html
ISS X-Force Database
http://xforce.iss.net/xforce/xfdb/43885
SecurityFocus
http://www.securityfocus.com/bid/30273
Secunia
http://secunia.com/advisories/31146/
US-CERT
http://www.kb.cert.org/vuls/id/716387
CVE Name
CVE-2008-3257
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
