It is rare to see a base score on CVSS listed as 10, the highest it can go, when looking at reported vulnerabilities. However, for the first time since going quarterly with its security patches and mitigations in January 2005, Oracle has issued an advisory that addresses a recent discovery and release of exploit code that can cause some serious damage to WebLogic Server and WebLogic Express.
Oracle offers mitigations, going out of cycle to address recent security flaw. (IMG:J.Anderson)
Oracle is reporting a vulnerability that can be “remotely exploitable without authentication” with the WebLogic plug-in for Apache. The attack code released on Milw0rm is, according to comments in the code, “broken,” but will work just fine on tested servers.
WebLogic is vulnerable to a “buffer overflow caused by improper bounds checking by the Apache Connector,” according to the IBM X-Force advisory. The attack relies on specially-crafted HTTP POST requests, which could allow a remote attacker to execute arbitrary code on the system or cause the server to crash.
While there is no patch, Oracle has listed mitigation steps for the vulnerability, which amount to some simple configuration changes to the services. The first mitigation is to limit the URL length to 4000 bytes. To do so, add LimitRequestLine 4000 to the httpd.conf file and restart the HTTP service. If a company needs more than 4000 bytes in the URL, Oracle suggests using the mod_security module for Apache services. Mod_security is considered a best practice when hardening an Apache installation, and Oracle confirms that Apache servers using mod_security are not vulnerable to the attack.
Eric Maurice posted some information on the Oracle security blog announcing the security advisory:
"When Oracle became aware of this issue, our security and development teams worked diligently to develop an effective workaround to prevent a successful exploitation of the vulnerability," he wrote. "In addition, Oracle will also issue an out-of-cycle security patch for this vulnerability as soon as the fix has been produced for all supported version-platform combinations. We expect this fix to be ready very soon, and we will issue an updated Security Alert to let customers know about its availability."
To date, Oracle has patched one-hundred and twelve security issues.
There are currently no comments for this article. Be the first to comment! (no registration required)
Advertising
There are currently no comments for this article. Be the first to comment! (no registration required)