SAINT CorporationSAINT:E4930D8429EB7EA40C639BF71410F69AOracle WebLogic Server IIS Connector JSESSIONID buffer overflow
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.968 High
EPSS
Percentile
99.6%
Added: 04/10/2009
CVE: CVE-2008-5457
BID: 33177
Background
Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.
Problem
A buffer overflow vulnerability in the WebLogic IIS connector allows remote attackers to execute arbitrary commands by sending a long, specially crafted JSESSIONID parameter to the server.
Resolution
Apply patch 7825169 as instructed in the Oracle Security Advisory.
References
<http://www.oracle.com/technology/deploy/security/wls-security/2809.html>
Limitations
Exploit works on Oracle WebLogic 10.0 IIS connector on Windows 2000.
Platforms
Windows 2000
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.968 High
EPSS
Percentile
99.6%