__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                 Oracle Weblogic Apache Connector Vulnerability
                            [Security Advisory 2793]

August 20, 2008 16:00 GMT                                         Number S-367
______________________________________________________________________________
PROBLEM:       An exploit has been public which may impact the availability, 
               confidentiality or integrity of WebLogic Server applications 
               which use the Apache web server configured with the WebLogic 
               plug-in for Apache. This vulnerability may be remotely 
               exploitable without authentication, i.e. it may be exploited 
               over a network without the need for a username and password. 
PLATFORM:      WebLogic Server and WebLogic Express 
DAMAGE:        Execute arbitrary code. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. A remote, authenticated attacker may be 
ASSESSMENT:    able to execute arbitrary code. 
______________________________________________________________________________
CVSS 2 BASE SCORE: 7.5 
 TEMPORAL SCORE:   6.2 
 VECTOR:           (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/s-367.shtml 
 ORIGINAL BULLETIN:  https://support.bea.com/application_content/product_
                               portlets/securityadvisories/2793.html 
 ADDITIONAL LINK:    http://www.kb.cert..org/vuls/id/716387
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2008-3257 
______________________________________________________________________________
[***** Start Security Advisory 2793 *****]

 Security Advisories and Notifications
Subject: SECURITY ADVISORY (CVE-2008-3257) version .01
From: Oracle Corporation
Minor Subject: Patch available for security vulnerability in WebLogic plug-in for 
Apache 
Product(s) Affected: WebLogic Server and WebLogic Express 

Oracle treats potential security problems with a high degree of urgency and 
endeavors to take appropriate steps to help ensure the security of our customers’ 
systems. As a result, Oracle strongly suggests the following actions:

I. Read the following advisory.

II. Apply the suggested action.

III. If you know of any additional users interested in future security advisories, 
please forward them the registration instructions included in this advisory. 

I. DESCRIPTION 
On July 28, 2008, Oracle published CVE2008-3257 as an early notification of a 
critical vulnerability in the WebLogic plug-in for Apache. This revised 
advisory provides a remedy for that vulnerability. 

Recently an exploit has been made public which may impact the availability, 
confidentiality or integrity of WebLogic Server applications which use the 
Apache web server configured with the WebLogic plug-in for Apache. This 
vulnerability may be remotely exploitable without authentication, i.e. it may 
be exploited over a network without the need for a username and password. 

This note supersedes the previous version that provided only workarounds for 
this vulnerability.

This revision adds information describing how to obtain an updated version of 
the Apache plug-in to remedy this issue without the use of workarounds. 



II. IMPACT AND CVSS RATINGS 
CVSS Severity Score: 10.0 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low 
Authentication Level (Au): None 
Impact Type: Complete confidentiality, integrity and availability violation 
Vulnerability Type: Denial of Service 
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) 


Usage of CVSS by Oracle:
http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm 



III. AFFECTED VERSIONS 
The following versions of WebLogic Server and WebLogic Express are affected by 
this vulnerability

Apache Plug-ins dated prior to July 28, 2008 which implies:

Oracle WebLogic Server 10.0 released through MP1

Oracle WebLogic Server 9.2 released through MP3

Oracle WebLogic Server 9.1

Oracle WebLogic Server 9.0

Oracle WebLogic Server 8.1 released through SP6

Oracle WebLogic Server 7.0 released through SP7

Oracle WebLogic Server 6.1 released through SP7

Note: Apache servers that are already configured with the mod_security module 
are protected from this vulnerability by the default core ruleset.



IV. SUGGESTED ACTION
Oracle strongly recommends the following course of action:

WebLogic Server plug-ins for Apache web server: 



1. Download the latest web server plug-in from the following location: 

ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/
WLSWebServerPlugins1.0.1136334-Apache.zip



2. Save a copy of your old plug-in and install the appropriate plug-in on your Web 
Server.



3. Restart your Web Server 


Note: The WebLogic plug-in is compatible with all versions of WebLogic Server.
Note: WebLogic Server 10.3 includes this fix. 



Workarounds: 


Oracle recommends that patches, rather than workarounds, be applied to address this 
vulnerability. In the earlier version of this advisory, Oracle provided the following 
workarounds for this exploit:

Apache LimitRequestLine Parameter 

It is possible to configure Apache and avert this vulnerability by rejecting 
certain invalid requests. To do so, add the following parameter to the httpd.conf 
file and restart Apache: 


LimitRequestLine 4000 
See: Apache LimitRequestLine documentation for more information

Note: This parameter limits the maximum URL length to less than 4000 bytes. 

Apache mod_security Module


Oracle believes that the workaround using the LimitRequestLine parameter will 
provide a complete workaround for WebLogic users that do not require URLs that 
exceed 4,000 bytes. If there are cases where the use of the LimitRequestLine 
parameter is not an option, users may also consider use of mod_security in Apache 
Web Server environments.

This is available in open source from http://www.modsecurity.org/ to address the 
vulnerability. The mod_security module need only be installed and enabled in order 
to provide a workaround for this vulnerability. Oracle recommends evaluation in 
customer environments prior to usage in production.

Oracle strongly recommends that you backup and comprehensively test the stability 
of your system upon application of any patch or workaround prior to deleting any 
of the original file(s) that are replaced by a patch or workaround.

Oracle strongly suggests that customers apply the remedies recommended in all 
our security advisories. For BEA products, Oracle also urges customers to 
apply every Service/Maintenance Pack as they are released. Service/Maintenance 
Packs include a roll-up of all bug fixes for each version of the product, as 
well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs 
and information about them can be found at:

WebLogic Server: http://commerce.bea.com/showallversions.jsp?family=WLS 

WebLogic Platform: http://commerce.bea.com/showallversions.jsp?family=WLP 

Note: Information about securing WebLogic Server and WebLogic Express can be 
found at http://edocs.bea.com/wls/docs100/security.html. Specific lockdown 
information is provided at http://edocs.bea.com/wls/docs100/lockdown/index.html. 
We strongly encourage you to review this documentation to ensure your server 
deployment is securely configured. 



V. SECURITY COMMUNICATIONS
All previous advisories and notifications can be viewed at https://support.
bea.com/application_content/product_portlets/securityadvisories/index.html

Additional users who wish to register for BEA product advisory distribution 
should follow the registration directions at https://support.bea.com/
application_content/product_portlets/securityadvisories/index.html



VI. REPORTING SECURITY ISSUES
Security issues for BEA products can be reported to Oracle by following the 
directions at https://support.bea.com/application_content/product_portlets/
securityadvisories/index.html. 

If you have any questions or have a need to verify the authenticity of this 
advisory, please contact Oracle Technical Support for BEA products at 
support@bea.com

Thank you,
Oracle Corporation



[***** End Security Advisory 2793 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Oracle for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update