[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0901150040320.13704@forced.attrition.org>
Date: Thu, 15 Jan 2009 01:01:06 +0000 (UTC)
From: security curmudgeon <jericho@...rition.org>
To: bugtraq@...urityfocus.com
Cc: trees@...urent.com, support@....com,
Oracle Security Alerts <secalert_us@...cle.com>
Subject: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer
Overflow
Hello Assurent & Oracle,
On Tue, 13 Jan 2009, VR-Subscription-noreply@...urent.com wrote:
: Oracle BEA WebLogic Server Apache Connector Buffer Overflow
:
: Reference: http://www.bea.com/weblogic/server/
:
: 2. Vulnerability Summary
:
: A remotely exploitable vulnerability has been discovered in the Apache
: Connector component of Oracle BEA WebLogic Server. Specifically, the
: vulnerability is due to a boundary error when processing incoming HTTP
: requests and can lead to a buffer overflow condition. This boundary
: error can lead to a Denial of Service (DoS) condition for the Apache
: HTTP server.
:
: 3. Vulnerability Analysis
:
: A remote unauthenticated attacker can exploit the vulnerability by
: sending a malicious HTTP request to the target system. A successful
: attack will result in a Denial of Service (DoS) condition for the Apache
: HTTP server, including all Apache-negotiated HTTP traffic to the
: WebLogic Server.
: Reference: https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html
According to Assurent, this is a remote overflow that creates a DoS
condition. No mention of running arbitrary code.
Oracle's advisory says:
CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low
Authentication Level (Au): None
Impact Type:Complete confidentiality, integrity and availability violation
Vulnerability Type: Denial of Service
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
So it is a "Denial of Service" but results in a complete compromise of
confidentiality, integrity and availability. A 10.0 score typically means
remote, unauthenticated execution of attacker-controlled code. Which is
correct?
Further, Oracle's advisory says this affects "Security vulnerability in
WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this
affects multiple plug-ins, not just the one for Apache. The advisory also
uses this wording further suggesting three separate plug-ins: "This
vulnerability may impact the availability, confidentiality or integrity of
WebLogic Server applications, which use the Apache, Sun or IIS web server
configured with the WebLogic plug-in for Apache, Sun or IIS respectively."
Is it really one plug-in that works with all three? Or does this only
affect an Apache plug-in?
Powered by blists - more mailing lists