<<< Date Index >>>     <<< Thread Index >>>

Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow




Hello Assurent & Oracle,

On Tue, 13 Jan 2009, VR-Subscription-noreply@xxxxxxxxxxxx wrote:

: Oracle BEA WebLogic Server Apache Connector Buffer Overflow
: 
: Reference: http://www.bea.com/weblogic/server/
: 
: 2. Vulnerability Summary
: 
: A remotely exploitable vulnerability has been discovered in the Apache 
: Connector component of Oracle BEA WebLogic Server. Specifically, the 
: vulnerability is due to a boundary error when processing incoming HTTP 
: requests and can lead to a buffer overflow condition. This boundary 
: error can lead to a Denial of Service (DoS) condition for the Apache 
: HTTP server.
: 
: 3. Vulnerability Analysis
: 
: A remote unauthenticated attacker can exploit the vulnerability by 
: sending a malicious HTTP request to the target system. A successful 
: attack will result in a Denial of Service (DoS) condition for the Apache 
: HTTP server, including all Apache-negotiated HTTP traffic to the 
: WebLogic Server.

: Reference: 
https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html

According to Assurent, this is a remote overflow that creates a DoS 
condition. No mention of running arbitrary code.

Oracle's advisory says:

CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low 
Authentication Level (Au): None 
Impact Type:Complete confidentiality, integrity and availability violation 
Vulnerability Type: Denial of Service 
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

So it is a "Denial of Service" but results in a complete compromise of 
confidentiality, integrity and availability. A 10.0 score typically means 
remote, unauthenticated execution of attacker-controlled code. Which is 
correct?

Further, Oracle's advisory says this affects "Security vulnerability in 
WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this 
affects multiple plug-ins, not just the one for Apache. The advisory also 
uses this wording further suggesting three separate plug-ins: "This 
vulnerability may impact the availability, confidentiality or integrity of 
WebLogic Server applications, which use the Apache, Sun or IIS web server 
configured with the WebLogic plug-in for Apache, Sun or IIS respectively."

Is it really one plug-in that works with all three? Or does this only 
affect an Apache plug-in?