Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0748 -- [Win][Linux][HP-UX][Solaris][AIX]
Security vulnerability in WebLogic plug-in for Apache
29 July 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebLogic Server 10.0 MP1 and prior
WebLogic Server 9.2 MP3 and prior
WebLogic Server 9.1
WebLogic Server 9.0
WebLogic Server 8.1 SP6 and prior
WebLogic Server 7.0 SP 7 and prior
WebLogic Server 6.1 SP 7 and prior
Publisher: BEA
Operating System: Windows
Linux variants
Solaris
HP-UX
AIX
Access: Remote/Unauthenticated
CVE Names: CVE-2008-3257
Original Bulletin: http://dev2dev.bea.com/pub/advisory/291
- --------------------------BEGIN INCLUDED TEXT--------------------
BEA Security Advisories and Notifications
Subject: Security Advisory (CVE-2008-3257)
From: Oracle Corporation
Minor Subject: Security vulnerability in WebLogic plug-in for Apache
Product(s) Affected: WebLogic Server and WebLogic Express
Oracle treats potential security problems with a high degree of
urgency and endeavors to take appropriate steps to help ensure the
security of our customers systems. As a result, Oracle strongly
suggests the following actions:
I. Read the following advisory.
II. Apply the suggested action.
III. If you know of any additional users interested in future
security advisories, please forward them the registration
instructions included in this advisory.
I. Description
Recently an exploit has become publicly available which may impact the
availability, confidentiality or integrity of WebLogic Server
applications which use the Apache web server configured with the
WebLogic plug-in for Apache. This vulnerability may be remotely
exploitable without authentication, i.e. it may be exploited over a
network without the need for a username and password. This note
provides information for workarounds for this vulnerability.
A subsequent revision of this note will be issued with information on
how to obtain an updated version of the Apache plug-in to remedy this
issue without the use of workarounds. This revision will be issued
after testing has been completed on that updated plug-in.
II. Impact and CVSS Ratings
CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low
Authentication Level (Au): None
Impact Type: Complete confidentiality, integrity and availability
violation
Vulnerability Type: Denial of Service
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Usage of CVSS by Oracle:
http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm
III. AFFECTED VERSIONS
The following versions of WebLogic Server and WebLogic Express are
affected by this vulnerability
* Apache Plug-ins dated prior to July 28 2008 which implies:
* WebLogic Server 10.0 released through Maintenance Pack 1, on all
platforms
* WebLogic Server 9.2 released through Maintenance Pack 3, on all
platforms
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 6, on all
platforms
* WebLogic Server 7.0 released through Service Pack 7 on all
platforms
* WebLogic Server 6.1 released through Service Pack 7 on all
platforms
Note: Apache servers that are already configured with the mod_security
module are protected from this vulnerability by the default core
ruleset.
IV. SUGGESTED ACTION
Two workarounds are provided for this vulnerability, which Oracle
believes will provide protection against this vulnerability.
Apache LimitRequestLine Parameter
It is possible to configure Apache and avert this vulnerability by
rejecting certain invalid requests. To do so, add the following
parameter to the httpd.conf file and restart Apache:
LimitRequestLine 4000
See: Apache LimitRequestLine documentation for more information.
Note: This parameter limits the maximum URL length to less than 4000
bytes.
Apache mod_security Module
Oracle believes that the workaround using the LimitRequestLine
parameter will provide a workaround for WebLogic users that do not
require URLs that exceed 4,000 bytes. If there are cases where the use
of the LimitRequestLine parameter is not an option, users may also
consider use of mod_security in Apache Web Server environments.
This is available in open source from http://www.modsecurity.org/
to address the vulnerability. The mod_security module need only be
installed and enabled in order to provide a workaround for this
vulnerability. Oracle recommends evaluation in customer environments
prior to usage in production.
Oracle strongly recommends that you backup and comprehensively test
the stability of your system upon application of any patch or
workaround prior to deleting any of the original file(s) that are
replaced by a patch or workaround.
Oracle strongly suggests that customers apply the remedies recommended
in all our security advisories. Oracle also urges customers to apply
every Service Pack as they are released. Service Packs include a
roll-up of all bug fixes for each version of the product, as well as
each of the prior Service Packs. Service Packs and information about
them can be found at:
WebLogic Server:
http://commerce.bea.com/showallversions.jsp?family=WLS WebLogic
Platform: http://commerce.bea.com/showallversions.jsp?family=WLP
Note: Information about securing WebLogic Server and WebLogic Express
can be found at: http://edocs.bea.com/wls/docs100/security.html.
Specific lockdown information is provided at
http://edocs.bea.com/wls/docs100/lockdown/index.html. We strongly
encourage you to review this documentation to ensure your server
deployment is securely configured.
V. SECURITY COMMUNICATIONS
All previous advisories and notifications can be viewed at
https://support.bea.com/application_content/product_portlets/securityadvisories/index.html.
Additional users who wish to register for advisory distribution should
follow the registration directions at
https://support.bea.com/application_content/product_portlets/securityadvisories/index.html.
VI. REPORTING SECURITY ISSUES
Security issues for BEA products can be reported to Oracle by
following the directions at
https://support.bea.com/application_content/product_portlets/securityadvisories/index.html.
If you have any questions or have a need to verify the authenticity of
this advisory, please contact Oracle Technical Support for BEA
products at support@bea.com.
Thank you,
Oracle Corporation
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSI7BQyh9+71yA2DNAQJ8OwP/bgE8aCTT8Ifr4EF/QIel8vUl6DeNXn8X
jXD9j4AA2ssAqs79uwrML2Y8HF3GFTw6jFqscRH9FqceuHmDqwoHXVXlzntwuxCw
WjCQkNw6RXkIeKFQFWuvWBtpXsKGk+hxRG0qkwgAxx4J6OXYMkSE+BEPsScKSqzw
m6cCBJwTjTw=
=zY0s
-----END PGP SIGNATURE-----