WebLogic security hole found
A recently uncovered flaw with the Oracle WebLogic server allows
users to gain entry to the software's server without a user name or
password. Oracle has posted instructions on configuring to software so that
it will not susceptible to an attack based on this flaw. The
company will also release a patch to fix the problem.
Malicious code harnessing the flaw can "impact the availability,
confidentiality or integrity of WebLogic Server applications which
use the Apache web server configured with the WebLogic plug-in for
Apache," according to the Oracle advisory.
An exploit could be used to stage a denial-of-serviceattack on the machine, or even be used to gain entry to
that system. Versions 10.3 and earlier of Oracle WebLogic Server
(formerly called BEA WebLogic Server) are susceptible to this
exploit.
The vulnerability resides in a WebLogic plug-in module for the
Apache Web server. It is a buffer overflow, meaning malicious users
could append executable code onto the end of a bogus request for a
Web page, one made up of an abnormally long string of characters.
The work-around consists of limiting the length of a Web address
that can be submitted to the Apache Web server to 4,000 characters
or less. This can be done either by adding a line to the Apache
configuration file, or installing an Apache security module.
According to Oracle, code exploiting
this flaw was posted on the Internet without any prior notification
to the company. Because Oracle did not have time to prepare a
patch, it has issued an alert outside its routinequarterly patch cycle.
Oracle has rated the severity of this hole as high on the
Common Vulnerability Scoring System. The National
Vulnerability Database has assigned the vulnerability ID CVE-2008-3257
to this flaw.
About the Author
Joab Jackson is the senior technology editor for Government Computer News.