News

WebLogic Security Hole Found

A recently uncovered flaw with the Oracle WebLogic server allows users to gain entry to the software's server without a user name or password.

Oracle has posted instructions on configuring to software so that it will not be susceptible to an attack based on this flaw. The company will also release a patch to fix the problem.

Malicious code harnessing the flaw can "impact the availability, confidentiality or integrity of WebLogic Server applications which use the Apache Web server configured with the WebLogic plug-in for Apache," according to the Oracle advisory.

An exploit could be used to stage a denial-of-service attack on the machine, or even be used to gain entry to that system. Versions 10.3 and earlier of Oracle WebLogic Server (formerly called BEA WebLogic Server) are susceptible to this exploit.

The vulnerability resides in a WebLogic plug-in module for the Apache Web server. It is a buffer overflow, meaning malicious users could append executable code onto the end of a bogus request for a Web page, one made up of an abnormally long string of characters.

The work-around consists of limiting the length of a Web address that can be submitted to the Apache Web server to 4,000 characters or less. This can be done either by adding a line to the Apache configuration file, or installing an Apache security module.

According to Oracle, code exploiting this flaw was posted on the Internet without any prior notification to the company. Because Oracle did not have time to prepare a patch, it has issued an alert outside its routine quarterly patch cycle.

Oracle has rated the severity of this hole as high on the Common Vulnerability Scoring System. The National Vulnerability Database has assigned the vulnerability ID CVE-2008-3257 to this flaw.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

Featured

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.