Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow

2009-01-16T00:00:00
ID SECURITYVULNS:DOC:21159
Type securityvulns
Reporter Securityvulns
Modified 2009-01-16T00:00:00

Description

Hello Assurent & Oracle,

On Tue, 13 Jan 2009, VR-Subscription-noreply@assurent.com wrote:

: Oracle BEA WebLogic Server Apache Connector Buffer Overflow : : Reference: http://www.bea.com/weblogic/server/ : : 2. Vulnerability Summary : : A remotely exploitable vulnerability has been discovered in the Apache : Connector component of Oracle BEA WebLogic Server. Specifically, the : vulnerability is due to a boundary error when processing incoming HTTP : requests and can lead to a buffer overflow condition. This boundary : error can lead to a Denial of Service (DoS) condition for the Apache : HTTP server. : : 3. Vulnerability Analysis : : A remote unauthenticated attacker can exploit the vulnerability by : sending a malicious HTTP request to the target system. A successful : attack will result in a Denial of Service (DoS) condition for the Apache : HTTP server, including all Apache-negotiated HTTP traffic to the : WebLogic Server.

: Reference: https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html

According to Assurent, this is a remote overflow that creates a DoS condition. No mention of running arbitrary code.

Oracle's advisory says:

CVSS Severity Score: 10.0 (High) Attack Range (AV): Network Attack Complexity (AC): Low Authentication Level (Au): None Impact Type:Complete confidentiality, integrity and availability violation Vulnerability Type: Denial of Service CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

So it is a "Denial of Service" but results in a complete compromise of confidentiality, integrity and availability. A 10.0 score typically means remote, unauthenticated execution of attacker-controlled code. Which is correct?

Further, Oracle's advisory says this affects "Security vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this affects multiple plug-ins, not just the one for Apache. The advisory also uses this wording further suggesting three separate plug-ins: "This vulnerability may impact the availability, confidentiality or integrity of WebLogic Server applications, which use the Apache, Sun or IIS web server configured with the WebLogic plug-in for Apache, Sun or IIS respectively."

Is it really one plug-in that works with all three? Or does this only affect an Apache plug-in?