Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

            ESB-2008.0748 -- [Win][Linux][HP-UX][Solaris][AIX]
           Security vulnerability in WebLogic plug-in for Apache
                               29 July 2008


        AusCERT Security Bulletin Summary

Product:              WebLogic Server 10.0 MP1 and prior
                      WebLogic Server 9.2 MP3 and prior
                      WebLogic Server 9.1
                      WebLogic Server 9.0
                      WebLogic Server 8.1 SP6 and prior
                      WebLogic Server 7.0 SP 7 and prior
                      WebLogic Server 6.1 SP 7 and prior
Publisher:            BEA
Operating System:     Windows
                      Linux variants
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-3257

Original Bulletin:    http://dev2dev.bea.com/pub/advisory/291

- --------------------------BEGIN INCLUDED TEXT--------------------

BEA Security Advisories and Notifications

   Subject: Security Advisory (CVE-2008-3257)
   From: Oracle Corporation
   Minor Subject: Security vulnerability in WebLogic plug-in for Apache
   Product(s) Affected: WebLogic Server and WebLogic Express

   Oracle treats potential security problems with a high degree of
   urgency and endeavors to take appropriate steps to help ensure the
   security of our customers systems. As a result, Oracle strongly
   suggests the following actions:

     I. Read the following advisory.
     II. Apply the suggested action.
     III. If you know of any additional users interested in future
     security advisories, please forward them the registration
     instructions included in this advisory.

I. Description

   Recently an exploit has become publicly available which may impact the
   availability, confidentiality or integrity of WebLogic Server
   applications which use the Apache web server configured with the
   WebLogic plug-in for Apache. This vulnerability may be remotely
   exploitable without authentication, i.e. it may be exploited over a
   network without the need for a username and password. This note
   provides information for workarounds for this vulnerability.

   A subsequent revision of this note will be issued with information on
   how to obtain an updated version of the Apache plug-in to remedy this
   issue without the use of workarounds. This revision will be issued
   after testing has been completed on that updated plug-in.

II. Impact and CVSS Ratings

   CVSS Severity Score: 10.0 (High)
   Attack Range (AV): Network
   Attack Complexity (AC): Low
   Authentication Level (Au): None
   Impact Type: Complete confidentiality, integrity and availability
   Vulnerability Type: Denial of Service
   CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

   Usage of CVSS by Oracle:


   The following versions of WebLogic Server and WebLogic Express are
   affected by this vulnerability
     * Apache Plug-ins dated prior to July 28 2008 which implies:

     * WebLogic Server 10.0 released through Maintenance Pack 1, on all
     * WebLogic Server 9.2 released through Maintenance Pack 3, on all
     * WebLogic Server 9.1 on all platforms
     * WebLogic Server 9.0 on all platforms
     * WebLogic Server 8.1 released through Service Pack 6, on all
     * WebLogic Server 7.0 released through Service Pack 7 on all
     * WebLogic Server 6.1 released through Service Pack 7 on all

   Note: Apache servers that are already configured with the mod_security
   module are protected from this vulnerability by the default core


   Two workarounds are provided for this vulnerability, which Oracle
   believes will provide protection against this vulnerability.

   Apache LimitRequestLine Parameter

   It is possible to configure Apache and avert this vulnerability by
   rejecting certain invalid requests. To do so, add the following
   parameter to the httpd.conf file and restart Apache:

   LimitRequestLine 4000

   See: Apache LimitRequestLine documentation for more information.

   Note: This parameter limits the maximum URL length to less than 4000

   Apache mod_security Module

   Oracle believes that the workaround using the LimitRequestLine
   parameter will provide a workaround for WebLogic users that do not
   require URLs that exceed 4,000 bytes. If there are cases where the use
   of the LimitRequestLine parameter is not an option, users may also
   consider use of mod_security in Apache Web Server environments.

   This is available in open source from http://www.modsecurity.org/
   to address the vulnerability. The mod_security module need only be
   installed and enabled in order to provide a workaround for this
   vulnerability. Oracle recommends evaluation in customer environments
   prior to usage in production.

   Oracle strongly recommends that you backup and comprehensively test
   the stability of your system upon application of any patch or
   workaround prior to deleting any of the original file(s) that are
   replaced by a patch or workaround.

   Oracle strongly suggests that customers apply the remedies recommended
   in all our security advisories. Oracle also urges customers to apply
   every Service Pack as they are released. Service Packs include a
   roll-up of all bug fixes for each version of the product, as well as
   each of the prior Service Packs. Service Packs and information about
   them can be found at:
   WebLogic Server:
   http://commerce.bea.com/showallversions.jsp?family=WLS WebLogic
   Platform: http://commerce.bea.com/showallversions.jsp?family=WLP

   Note: Information about securing WebLogic Server and WebLogic Express
   can be found at: http://edocs.bea.com/wls/docs100/security.html.
   Specific lockdown information is provided at
   http://edocs.bea.com/wls/docs100/lockdown/index.html. We strongly
   encourage you to review this documentation to ensure your server
   deployment is securely configured.


   All previous advisories and notifications can be viewed at

   Additional users who wish to register for advisory distribution should
   follow the registration directions at


   Security issues for BEA products can be reported to Oracle by
   following the directions at

   If you have any questions or have a need to verify the authenticity of
   this advisory, please contact Oracle Technical Support for BEA
   products at support@bea.com.

   Thank you,
   Oracle Corporation

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967