Lucene search

SAINT CorporationSAINT:23D50806A7ED8E64A87DF12F6E0A71D3

HistoryApr 10, 2009 - 12:00 a.m.

Oracle WebLogic Server IIS Connector JSESSIONID buffer overflow

2009-04-1000:00:00

SAINT Corporation

my.saintcorporation.com

142

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.968

Percentile

99.7%

JSON

Added: 04/10/2009
CVE: CVE-2008-5457
BID: 33177

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Problem

A buffer overflow vulnerability in the WebLogic IIS connector allows remote attackers to execute arbitrary commands by sending a long, specially crafted JSESSIONID parameter to the server.

Resolution

Apply patch 7825169 as instructed in the Oracle Security Advisory.

References

<http://www.oracle.com/technology/deploy/security/wls-security/2809.html>

Limitations

Exploit works on Oracle WebLogic 10.0 IIS connector on Windows 2000.

Platforms

Windows 2000

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

EPSS

0.968

Percentile

99.7%

JSON

Related for SAINT:23D50806A7ED8E64A87DF12F6E0A71D3