lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0901150040320.13704@forced.attrition.org>
Date: Thu, 15 Jan 2009 01:01:06 +0000 (UTC)
From: security curmudgeon <jericho@...rition.org>
To: bugtraq@...urityfocus.com
Cc: trees@...urent.com, support@....com,
	Oracle Security Alerts <secalert_us@...cle.com>
Subject: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer
 Overflow



Hello Assurent & Oracle,

On Tue, 13 Jan 2009, VR-Subscription-noreply@...urent.com wrote:

: Oracle BEA WebLogic Server Apache Connector Buffer Overflow
: 
: Reference: http://www.bea.com/weblogic/server/
: 
: 2. Vulnerability Summary
: 
: A remotely exploitable vulnerability has been discovered in the Apache 
: Connector component of Oracle BEA WebLogic Server. Specifically, the 
: vulnerability is due to a boundary error when processing incoming HTTP 
: requests and can lead to a buffer overflow condition. This boundary 
: error can lead to a Denial of Service (DoS) condition for the Apache 
: HTTP server.
: 
: 3. Vulnerability Analysis
: 
: A remote unauthenticated attacker can exploit the vulnerability by 
: sending a malicious HTTP request to the target system. A successful 
: attack will result in a Denial of Service (DoS) condition for the Apache 
: HTTP server, including all Apache-negotiated HTTP traffic to the 
: WebLogic Server.

: Reference: https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html

According to Assurent, this is a remote overflow that creates a DoS 
condition. No mention of running arbitrary code.

Oracle's advisory says:

CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low 
Authentication Level (Au): None 
Impact Type:Complete confidentiality, integrity and availability violation 
Vulnerability Type: Denial of Service 
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

So it is a "Denial of Service" but results in a complete compromise of 
confidentiality, integrity and availability. A 10.0 score typically means 
remote, unauthenticated execution of attacker-controlled code. Which is 
correct?

Further, Oracle's advisory says this affects "Security vulnerability in 
WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this 
affects multiple plug-ins, not just the one for Apache. The advisory also 
uses this wording further suggesting three separate plug-ins: "This 
vulnerability may impact the availability, confidentiality or integrity of 
WebLogic Server applications, which use the Apache, Sun or IIS web server 
configured with the WebLogic plug-in for Apache, Sun or IIS respectively."

Is it really one plug-in that works with all three? Or does this only 
affect an Apache plug-in?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ