News

WebLogic Security Hole Found

A recently uncovered flaw with the Oracle WebLogic server allows users to gain entry to the software's server without a user name or password.

Oracle has posted instructions on configuring to software so that it will not be susceptible to an attack based on this flaw. The company will also release a patch to fix the problem.

Malicious code harnessing the flaw can "impact the availability, confidentiality or integrity of WebLogic Server applications which use the Apache Web server configured with the WebLogic plug-in for Apache," according to the Oracle advisory.

An exploit could be used to stage a denial-of-service attack on the machine, or even be used to gain entry to that system. Versions 10.3 and earlier of Oracle WebLogic Server (formerly called BEA WebLogic Server) are susceptible to this exploit.

The vulnerability resides in a WebLogic plug-in module for the Apache Web server. It is a buffer overflow, meaning malicious users could append executable code onto the end of a bogus request for a Web page, one made up of an abnormally long string of characters.

The work-around consists of limiting the length of a Web address that can be submitted to the Apache Web server to 4,000 characters or less. This can be done either by adding a line to the Apache configuration file, or installing an Apache security module.

According to Oracle, code exploiting this flaw was posted on the Internet without any prior notification to the company. Because Oracle did not have time to prepare a patch, it has issued an alert outside its routine quarterly patch cycle.

Oracle has rated the severity of this hole as high on the Common Vulnerability Scoring System. The National Vulnerability Database has assigned the vulnerability ID CVE-2008-3257 to this flaw.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.