News

WebLogic Security Hole Found

A recently uncovered flaw with the Oracle WebLogic server allows users to gain entry to the software's server without a user name or password.

Oracle has posted instructions on configuring to software so that it will not be susceptible to an attack based on this flaw. The company will also release a patch to fix the problem.

Malicious code harnessing the flaw can "impact the availability, confidentiality or integrity of WebLogic Server applications which use the Apache Web server configured with the WebLogic plug-in for Apache," according to the Oracle advisory.

An exploit could be used to stage a denial-of-service attack on the machine, or even be used to gain entry to that system. Versions 10.3 and earlier of Oracle WebLogic Server (formerly called BEA WebLogic Server) are susceptible to this exploit.

The vulnerability resides in a WebLogic plug-in module for the Apache Web server. It is a buffer overflow, meaning malicious users could append executable code onto the end of a bogus request for a Web page, one made up of an abnormally long string of characters.

The work-around consists of limiting the length of a Web address that can be submitted to the Apache Web server to 4,000 characters or less. This can be done either by adding a line to the Apache configuration file, or installing an Apache security module.

According to Oracle, code exploiting this flaw was posted on the Internet without any prior notification to the company. Because Oracle did not have time to prepare a patch, it has issued an alert outside its routine quarterly patch cycle.

Oracle has rated the severity of this hole as high on the Common Vulnerability Scoring System. The National Vulnerability Database has assigned the vulnerability ID CVE-2008-3257 to this flaw.

About the Author

Joab Jackson is the chief technology editor of Government Computing News (GCN.com).

Featured

  • Microsoft Previews Windows Autopilot for HoloLens 2

    Microsoft on Friday announced a public preview of Windows Autopilot for HoloLens 2, its mixed-reality headset.

  • Microsoft Flirts with Charging for API Software Connections

    Microsoft may have started something new by attempting to charge its customers for software that uses its application programming interfaces (APIs).

  • Overcoming Spacesuit Anxiety During Astronaut Training

    Spacesuits are heavy, claustrophobic and hot -- an uncomfortable combination for many would-be astronauts. Here's how Brien came around to the idea of wearing one.

  • Microsoft Announces Azure Kubernetes Service Enhancements

    Microsoft this week announced a few Azure Kubernetes Service (AKS) product milestones as part of the KubeCon event.

comments powered by Disqus