Oracle warns of WebLogic exploit

Oracle has reacted to an acute and critical security problem by issuing a security alert outside of its regular quarterly cycle. In the middle of last week, a hacker using the pseudonym KingCope published an exploit which can cause a buffer overflow in Oracle WebLogic, formerly known as BEA WebLogic. Now the database specialist is telling its customers how to protect themselves against the acute danger it poses.

Versions 6.1 to 10 of the WebLogic plug-in for Apache apparently do not check the length of transferred parameters, which can result in a buffer overflow. This can be exploited over the network without a user account. While Oracle assigns the problem the highest score of 10 in the CVSS security rating scheme, it is silent on KingCope’s claim that the hole allows code to be injected. There is no patch yet but until there is, a workaround has been provided to reduce the risk.

Oracle recommends limiting the length of URLs in the Apache configuration to 4000 characters with LimitRequestLine 4000. However, this could cause problems for applications that use longer URLs. The database giant suggests another alternative: using the Apache mod_security firewall to filter URLs.

Oracle has not stated when a patch will be available to fix the cause of the problem. But it should be released as soon as possible – that is, outside the normal quarterly security update cycle. The last patch day was two weeks ago and provided 45 security patches for Oracle users.

See also:

• Exploit published for buffer overflow in BEA WebLogic
• Oracle Security Alert for CVE-2008-3257, Oracle security alert
• Security vulnerability in WebLogic plug-in for Apache, Security alert with workaround
• Security Alert for CVE-2008-3257 Released, entry in Oracle’s security blog

(trk)