===================================================================== CERT-Renater Note d'Information No. 2008/VULN295 _____________________________________________________________________ DATE : 25/07/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running Oracle WebLogic Server. ====================================================================== http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html ______________________________________________________________________ Oracle Security Alert for CVE-2008-3257 Description This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability with resulting availability, integrity and confidentiality impact. Supported Products and Components Affected • Oracle WebLogic Server 10.0 released through MP1 • Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3 • Oracle WebLogic Server 8.1 released through SP6 • Oracle WebLogic Server 7.0 released through SP7 • Oracle WebLogic Server 6.1 released through SP7 Patch Availability Fixes for this vulnerability will be made available as soon as testing is completed when an updated version of this document will be uploaded and email sent to affected customers. Until fixes are available, workarounds described at https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html provide protection against this vulnerability. Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround. Risk Matrix Vuln# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Last Affected Patch set (per Supported Release) Base Score Access Vector Access Complexity Authentication Confidentiality Integrity Availability CVE-2008-3257 WebLogic Server Plugin for Apache HTTP Apache Yes 10.0 Network Low None Complete Complete Complete 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, 6.1 SP7 Workarounds Until fixes are available, workarounds described at https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html provide protection against this vulnerability. References * Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ] * Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ] * Risk Matrix definitions [ Risk Matrix Definitions ] * Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ] * List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ] * Software Error Correction Support Policy [MetaLink Note 209768.1 ] * Security Advisories Notifications for BEA products [BEA Security Advisories ] Modification History 28-July-2008 Initial release ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================