Lucene search

K
saintSAINT CorporationSAINT:E4930D8429EB7EA40C639BF71410F69A
HistoryApr 10, 2009 - 12:00 a.m.

Oracle WebLogic Server IIS Connector JSESSIONID buffer overflow

2009-04-1000:00:00
SAINT Corporation
download.saintcorporation.com
33

EPSS

0.968

Percentile

99.7%

Added: 04/10/2009
CVE: CVE-2008-5457
BID: 33177

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Problem

A buffer overflow vulnerability in the WebLogic IIS connector allows remote attackers to execute arbitrary commands by sending a long, specially crafted JSESSIONID parameter to the server.

Resolution

Apply patch 7825169 as instructed in the Oracle Security Advisory.

References

<http://www.oracle.com/technology/deploy/security/wls-security/2809.html&gt;

Limitations

Exploit works on Oracle WebLogic 10.0 IIS connector on Windows 2000.

Platforms

Windows 2000