Lucene search

K
saintSAINT CorporationSAINT:9CF38ACF35E4A7616D5B05AC63A7B4BF
HistoryOct 31, 2008 - 12:00 a.m.

Oracle WebLogic Server Apache Connector Transfer-Encoding buffer overflow

2008-10-3100:00:00
SAINT Corporation
download.saintcorporation.com
24

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.5

Confidence

Low

EPSS

0.97

Percentile

99.8%

Added: 10/31/2008
CVE: CVE-2008-4008
BID: 31683
OSVDB: 49283

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Problem

A buffer overflow vulnerability allows remote attackers to execute arbitrary commands by sending a specially crafted Transfer-Encoding header in an HTTP request.

Resolution

Install the latest WebLogic Server plug-in referenced in the Oracle Security Advisory.

References

https://support.bea.com/application_content/product_portlets/securityadvisories/2806.html

Limitations

Exploit works on the WebLogic Server Connector for Apache 1.0.1136334.

Platforms

Windows

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

AI Score

7.5

Confidence

Low

EPSS

0.97

Percentile

99.8%