In association with heise online

30 July 2008, 14:01

Oracle warns of WebLogic exploit

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Oracle has reacted to an acute and critical security problem by issuing a security alert outside of its regular quarterly cycle. In the middle of last week, a hacker using the pseudonym KingCope published an exploit which can cause a buffer overflow in Oracle WebLogic, formerly known as BEA WebLogic. Now the database specialist is telling its customers how to protect themselves against the acute danger it poses.

Versions 6.1 to 10 of the WebLogic plug-in for Apache apparently do not check the length of transferred parameters, which can result in a buffer overflow. This can be exploited over the network without a user account. While Oracle assigns the problem the highest score of 10 in the CVSS security rating scheme, it is silent on KingCope’s claim that the hole allows code to be injected. There is no patch yet but until there is, a workaround has been provided to reduce the risk.

Oracle recommends limiting the length of URLs in the Apache configuration to 4000 characters with LimitRequestLine 4000. However, this could cause problems for applications that use longer URLs. The database giant suggests another alternative: using the Apache mod_security firewall to filter URLs.

Oracle has not stated when a patch will be available to fix the cause of the problem. But it should be released as soon as possible – that is, outside the normal quarterly security update cycle. The last patch day was two weeks ago and provided 45 security patches for Oracle users.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit