News
WebLogic Security Hole Found
- By Joab Jackson
- July 30, 2008
A recently uncovered flaw with the Oracle WebLogic server allows users to gain
entry to the software's server without a user name or password.
Oracle has
posted instructions on configuring to software so that it will not be susceptible
to an attack based on this flaw. The company will also release a patch to fix
the problem.
Malicious code harnessing the flaw can "impact the availability, confidentiality
or integrity of WebLogic Server applications which use the Apache Web server
configured with the WebLogic plug-in for Apache," according to the Oracle advisory.
An exploit could be used to stage a denial-of-service
attack on the machine, or even be used to gain entry to
that system. Versions 10.3 and earlier of Oracle WebLogic Server
(formerly called BEA WebLogic Server) are susceptible to this
exploit.
The vulnerability resides in a WebLogic plug-in module for the Apache Web server.
It is a buffer overflow, meaning malicious users could append executable code
onto the end of a bogus request for a Web page, one made up of an abnormally
long string of characters.
The work-around consists of limiting the length of a Web address that can be
submitted to the Apache Web server to 4,000 characters or less. This can be
done either by adding a line to the Apache configuration file, or installing
an Apache security module.
According to Oracle, code exploiting
this flaw was posted on the Internet without any prior notification
to the company. Because Oracle did not have time to prepare a
patch, it has issued an alert outside its routine
quarterly patch cycle.
Oracle has rated the severity of this hole as high on the
Common Vulnerability Scoring System. The National
Vulnerability Database has assigned the vulnerability ID CVE-2008-3257
to this flaw.
About the Author
Joab Jackson is the chief technology editor of Government Computing News (GCN.com).