[VIM] Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow (fwd)

security curmudgeon jericho at attrition.org
Thu Jan 15 01:04:41 UTC 2009



---------- Forwarded message ----------
From: security curmudgeon <jericho at attrition.org>
To: bugtraq at securityfocus.com
Cc: trees at assurent.com, support at bea.com,
     Oracle Security Alerts <secalert_us at oracle.com>
Date: Thu, 15 Jan 2009 01:01:06 +0000 (UTC)
Subject: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer
     Overflow



Hello Assurent & Oracle,

On Tue, 13 Jan 2009, VR-Subscription-noreply at assurent.com wrote:

: Oracle BEA WebLogic Server Apache Connector Buffer Overflow
:
: Reference: http://www.bea.com/weblogic/server/
:
: 2. Vulnerability Summary
:
: A remotely exploitable vulnerability has been discovered in the Apache
: Connector component of Oracle BEA WebLogic Server. Specifically, the
: vulnerability is due to a boundary error when processing incoming HTTP
: requests and can lead to a buffer overflow condition. This boundary
: error can lead to a Denial of Service (DoS) condition for the Apache
: HTTP server.
:
: 3. Vulnerability Analysis
:
: A remote unauthenticated attacker can exploit the vulnerability by
: sending a malicious HTTP request to the target system. A successful
: attack will result in a Denial of Service (DoS) condition for the Apache
: HTTP server, including all Apache-negotiated HTTP traffic to the
: WebLogic Server.

: Reference: https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html

According to Assurent, this is a remote overflow that creates a DoS
condition. No mention of running arbitrary code.

Oracle's advisory says:

CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low
Authentication Level (Au): None
Impact Type:Complete confidentiality, integrity and availability violation
Vulnerability Type: Denial of Service
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

So it is a "Denial of Service" but results in a complete compromise of
confidentiality, integrity and availability. A 10.0 score typically means
remote, unauthenticated execution of attacker-controlled code. Which is
correct?

Further, Oracle's advisory says this affects "Security vulnerability in
WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this
affects multiple plug-ins, not just the one for Apache. The advisory also
uses this wording further suggesting three separate plug-ins: "This
vulnerability may impact the availability, confidentiality or integrity of
WebLogic Server applications, which use the Apache, Sun or IIS web server
configured with the WebLogic plug-in for Apache, Sun or IIS respectively."

Is it really one plug-in that works with all three? Or does this only
affect an Apache plug-in?



More information about the VIM mailing list