Oracle WebLogic Server Apache Connector Buffer Overflow

Wednesday, July 30, 2008


Priority: HIGH

Impact: Potential execution of arbitrary code or denial of service by crashing the server. PCI DSS non-compliance.

Resolution: Verify the blocking policy in the web application firewall and apply the appropriate patch from Oracle.

Who: All websites using the following Oracle WebLogic (formerly BEA WebLogic) Server versions are affected:

  • BEA, Apache Connector IN WebLogic Server
  • BEA, WebLogic Server 10.0
  • BEA, WebLogic Server 10.0 MP1
  • BEA, WebLogic Server 3.1.8
  • BEA, WebLogic Server 4.0
  • BEA, WebLogic Server 4.0.4
  • BEA, WebLogic Server 4.5
  • BEA, WebLogic Server 4.5.1
  • BEA, WebLogic Server 4.5.1 SP15
  • BEA, WebLogic Server 4.5.2 SP1
  • BEA, WebLogic Server 4.5.2 SP2
  • BEA, WebLogic Server 4.5.2
  • BEA, WebLogic Server 5.1 SP9
  • BEA, WebLogic Server 5.1 SP8
  • BEA, WebLogic Server 5.1 SP7
  • BEA, WebLogic Server 5.1 SP6
  • BEA, WebLogic Server 5.1 SP5
  • BEA, WebLogic Server 5.1 SP4
  • BEA, WebLogic Server 5.1 SP3
  • BEA, WebLogic Server 5.1 SP2
  • BEA, WebLogic Server 5.1 SP13
  • BEA, WebLogic Server 5.1 SP12
  • BEA, WebLogic Server 5.1 SP10
  • BEA, WebLogic Server 5.1 SP1
  • BEA, WebLogic Server 5.1
  • BEA, WebLogic Server 5.1 SP11
  • BEA, WebLogic Server 6.0 SP1
  • BEA, WebLogic Server 6.0 SP2
  • BEA, WebLogic Server 6.0 SP6
  • BEA, WebLogic Server 6.0
  • BEA, WebLogic Server 6.1
  • BEA, WebLogic Server 6.1 SP1
  • BEA, WebLogic Server 6.1 SP2
  • BEA, WebLogic Server 6.1 SP3
  • BEA, WebLogic Server 6.1 SP4
  • BEA, WebLogic Server 6.1 SP5
  • BEA, WebLogic Server 6.1 SP6
  • BEA, WebLogic Server 6.1 SP7
  • BEA, WebLogic Server 6.1 SP8
  • BEA, WebLogic Server 7.0 SP5
  • BEA, WebLogic Server 7.0 SP7
  • BEA, WebLogic Server 7.0 SP6
  • BEA, WebLogic Server 7.0 SP4
  • BEA, WebLogic Server 7.0 SP3
  • BEA, WebLogic Server 7.0
  • BEA, WebLogic Server 7.0 SP1
  • BEA, WebLogic Server 7.0 SP2
  • BEA, WebLogic Server 7.0.0.1 SP2
  • BEA, WebLogic Server 7.0.0.1 SP1
  • BEA, WebLogic Server 7.0.0.1 SP3
  • BEA, WebLogic Server 7.0.0.1
  • BEA, WebLogic Server 7.0.0.1 SP4
  • BEA, WebLogic Server 8.1 SP2
  • BEA, WebLogic Server 8.1 SP6
  • BEA, WebLogic Server 8.1 SP5
  • BEA, WebLogic Server 8.1 SP4
  • BEA, WebLogic Server 8.1 SP3
  • BEA, WebLogic Server 8.1 SP1
  • BEA, WebLogic Server 8.1
  • BEA, WebLogic Server 9.0 SP5
  • BEA, WebLogic Server 9.0
  • BEA, WebLogic Server 9.0 GA
  • BEA, WebLogic Server 9.0 SP1
  • BEA, WebLogic Server 9.0 SP2
  • BEA, WebLogic Server 9.0 SP4
  • BEA, WebLogic Server 9.0 SP3
  • BEA, WebLogic Server 9.1 GA
  • BEA, WebLogic Server 9.1
  • BEA, WebLogic Server 9.2 MP2
  • BEA, WebLogic Server 9.2 MP1
  • BEA, WebLogic Server 9.2
  • Oracle, WebLogic Server 10.3

What: Oracle WebLogic’s mod_wl module (formerly BEA mod_wl) is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.

How: The mod_wl module does not properly validate the HTTP version data that is passed by a client. An attacker may execute arbitrary OS-level commands by including them in a large amount of data injected into the HTTP protocol version portion of a URL request.

Example of a normal URL: POST /blah.jsp HTTP/1.0

Example of a URL with the injection vector: POST /blah.jsp [attack vector]

Proof of concept code has been posted on the SecurityFocus website:
http://downloads.securityfocus.com/vulnerabilities/exploits/30273.pl

Impact: An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

Additionally, organizations impacted by this vulnerability may be classified as out of compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) if the WebLogic application is processing credit card data. Requirement 6.5.1 of the PCI DSS states that web applications should protect against:

“Unvalidated Input: Information from web requests should be validated before being sent to the web application—for example, checks for all alpha characters, mix of alpha and numeric, etc., should be done. Without these checks, hackers can pass invalid information into an application and attack components inside the network through the application.”

Risk: Because the vendor has not released a patch for this issue, we are categorizing this as a HIGH severity issue.

How WebDefend Customers Are Protected: WebDefend customers are proactively protected from attempts to exploit this vulnerability by the HTTP Constraints capability. HTTP Constraints define behavioral restrictions to be placed upon various characteristics of the HTTP protocol as it relates to interactions with a web application. These restrictions apply to the lengths of HTTP components, such as number of parameters allowed and maximum lengths for URLs and headers. HTTP Constraints can be seen as defining the acceptable behavior for HTTP with a web application by defining some boundary conditions to be applied to communication with the web application.

HTTP Constraints provide protection against attacks that try to break web applications by manipulating HTTP components by using extreme conditions, such as overly long URLs and headers or huge numbers of parameters. These attacks expect to break into a web server by overextending the intended usage of HTTP components.

How ModSecurity Pro M1100 Customers Are Protected: M1100 customers already have protection against this attack through its existing HTTP Protocol Policy rules. These rules identify abnormal requests that do not adhere to the HTTP RFC standard. In this attack, the rules only allow the following HTTP versions: 0.9, 1.0 and 1.1. M1100 customers have additional protections including outbound inspection checks which will identify WebLogic information disclosure error messages.

How ModSecurity Open-Source Customers Are Protected: Oracle recommends the use of the ModSecurity open-source software as a workaround until a patch is available and believes it will provide protection against this vulnerability: https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html

ModSecurity is available from http://www.modsecurity.org/ and may be compiled into the WebLogic web server to address the vulnerability. Breach Security offers full commercial support and rules package offerings to open-source ModSecurity users: http://www.breach.com/assets/files/downloads/service_support_datasheet.pdf

All Breach Security customers should verify their security settings to ensure the appropriate prevention mechanisms are active, specifically, that the appliances are configured in a blocking mode for these attacks.

Contact: For more information on this alert, please email support@breach.com.