Lucene search

SAINT CorporationSAINT:5CE13ECB4CAE25C047A16F8045E96C95

HistoryApr 10, 2009 - 12:00 a.m.

Oracle WebLogic Server IIS Connector JSESSIONID buffer overflow

2009-04-1000:00:00

SAINT Corporation

download.saintcorporation.com

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.968 High

EPSS

Percentile

99.7%

JSON

Added: 04/10/2009
CVE: CVE-2008-5457
BID: 33177

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Problem

A buffer overflow vulnerability in the WebLogic IIS connector allows remote attackers to execute arbitrary commands by sending a long, specially crafted JSESSIONID parameter to the server.

Resolution

Apply patch 7825169 as instructed in the Oracle Security Advisory.

References

<http://www.oracle.com/technology/deploy/security/wls-security/2809.html>

Limitations

Exploit works on Oracle WebLogic 10.0 IIS connector on Windows 2000.

Platforms

Windows 2000

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.968 High

EPSS

Percentile

99.7%

JSON

Related for SAINT:5CE13ECB4CAE25C047A16F8045E96C95