WebLogic Security Hole Found

A recently uncovered flaw with the Oracle WebLogic server allows users to gain entry to the software's server without a user name or password.

Oracle has posted instructions on configuring to software so that it will not be susceptible to an attack based on this flaw. The company will also release a patch to fix the problem.

Malicious code harnessing the flaw can "impact the availability, confidentiality or integrity of WebLogic Server applications which use the Apache Web server configured with the WebLogic plug-in for Apache," according to the Oracle advisory.

An exploit could be used to stage a denial-of-service attack on the machine, or even be used to gain entry to that system. Versions 10.3 and earlier of Oracle WebLogic Server (formerly called BEA WebLogic Server) are susceptible to this exploit.

The vulnerability resides in a WebLogic plug-in module for the Apache Web server. It is a buffer overflow, meaning malicious users could append executable code onto the end of a bogus request for a Web page, one made up of an abnormally long string of characters.

The work-around consists of limiting the length of a Web address that can be submitted to the Apache Web server to 4,000 characters or less. This can be done either by adding a line to the Apache configuration file, or installing an Apache security module.

According to Oracle, code exploiting this flaw was posted on the Internet without any prior notification to the company. Because Oracle did not have time to prepare a patch, it has issued an alert outside its routine quarterly patch cycle.

Oracle has rated the severity of this hole as high on the Common Vulnerability Scoring System. The National Vulnerability Database has assigned the vulnerability ID CVE-2008-3257 to this flaw.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (