Oracle WebLogic Server Apache Connector Remote Code Execution

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: August 1, 2008
Notification Version: 1.1
   
Name: Oracle WebLogic Server Apache Connector Remote Code Execution
Public disclosure/
In the wild date:		 July 17, 2008 (disclosure and PoC exploit code)
CVE:

CVE-2008-3257
Description:

Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a buffer overflow, which would cause a denial of service and potentially remote code execution.

 

ISS Coverage
Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor		 28.120
Proventia Desktop
Proventia Server IPS (Windows)		 x.x.x.2260
Propagation Techniques ISS Protection Available

remote exploit

HTTP_Oracle_Weblogic_Connector_BO

Aug 1, 2008

Detailed Description
Business Impact: As evident with the number of web-related vulnerabilities and this year's relentless attacks on Web servers using SQL injection and other methods, vulnerabilities affecting web servers are becoming increasingly lucrative targets for attackers.  In addition to compromising the targeted web server, these attacks are used to plant other exploits, malware, or redirects to malicious web servers essentially turning a trusted domain into an attack center for the true target: endpoints (the customers and employees that use the target website).
CVSS Base Score: 10
  Access Vector: Network
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Adjusted Temporal Score: 7.8
  Exploitability: Proof-of-Concept
Remediation Level: Official-Fix
Report Confidence: Confirmed
Affected Products: For a full list of affected versions, see references below.
Technical Description:

Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.

Remediation:

Patches were made available on Aug. 5, 2008.

References
XFDB: http://xforce.iss.net/xforce/xfdb/43885
Oracle:

https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html

Revision History
1.0 Initial publication.
1.1 Added information about patch that was released on Aug. 5 and updated CVSS temporal score.


About IBM Internet Security Systems
IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia® integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force® research and development team – the unequivocal world authority in vulnerability and threat research. The Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.