Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BEA WebLogic Input Validation Flaw in Proxy Plug-in Lets Remote Users Crash the Service With Malformed URLs
|
|
SecurityTracker Alert ID: 1008156
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 12 2003
|
Impact: Denial of service via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): WebLogic Server and Express 6.1, 7.0 and 8.1, using the WebLogic Server proxy plugin for Apache, iPlanet or IIS webservers.
|
Description: A denial of service vulnerability was reported in BEA's WebLogic Server and Express when using a proxy plug-in. A remote user can cause the proxy plug-in to crash.
It is reported that a remote user can send incorrectly formatted URLs to WebLogic Server or Express through a WebLogic Server proxy
plug-in to cause the proxy plug-in to crash. As a result, the target web site will be inaccessible.
Only sites that use the
WebLogic Server proxy plug-ins are affected, the vendor said.
Jamba! is credited with reporting this flaw.
|
Impact: A remote user can cause the proxy plug-in to crash, making the web service inaccessible to other users.
|
Solution: The vendor has released a fix. For WebLogic Server and Express 6.1, 7.0, and 8.1 users with a WebLogic proxy plugin on Apache HTTP
Server running on Solaris, HPUX, Linux, AIX, or Tru64 or on iPlanet running on Solaris, HPUX, or AIX, you can download a fix that
contains export strength SSL:
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
To obtain domestic strength SSL, contact
BEA Customer Support.
For WebLogic Server and Express 6.1, 7.0, and 8.1 customers using the WebLogic proxy plugin on Apache HTTP
Server on Microsoft NT or Microsoft Windows 2000 or on Microsoft Internet Information Services on Microsoft NT or Microsoft Windows
2000, the fix for plug-ins with export strength SSL is available at:
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
To
obtain domestic strength SSL, contact BEA Customer Support.
The vendor reports that the fix will be included in the versions
of the plug-ins that will be distributed with the following service packs:
* WebLogic Server 6.1 Service Pack 6
*
WebLogic Server 7.0 Service Pack 5
* WebLogic Server 8.1 Service Pack 2
|
Vendor URL: dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03_39.00.jsp (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 12 Nov 2003 15:56:21 -0500
Subject: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03_39.00.jsp
|
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03_39.00.jsp
> SECURITY ADVISORY (BEA03-39.00)
> Product(s) Affected: WebLogic Server proxy plug-ins for WebLogic Server and Express
>Threat level: high - Any user with knowledge can exploit this vulnerability
> Severity: high - When exploited this vulnerability will cause your website
> to become inaccessible even though WebLogic Server will continue to report good health.
A denial of service vulnerability was reported in BEA's WebLogic. A remote user can send
incorrectly formatted URLs to WebLogic Server or Express through a WebLogic Server proxy
plug-in to cause the proxy plug-in to crash. As a result, the target web site will be
inaccessible. Only sites that use the WebLogic Server proxy plug-ins are affected, the
vendor said.
The following versions are affected:
WebLogic Server and Express 6.1, 7.0 and 8.1, using the WebLogic Server proxy plugin for
Apache, iPlanet or IIS webservers.
Jamba! is credited with reporting this flaw.
The vendor has provided the following recommendations (quoted):
· For WebLogic Server and Express 6.1, 7.0, and 8.1, using the WebLogic proxy plugin on
supported Unix/Linux platforms, that is
Apache HTTP Server running on Solaris, HPUX, Linux, AIX, or Tru64 :
Or
for iPlanet running on Solaris, HPUX, or AIX:
For customers using a plug-in with export strength SSL:
Download
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
For customers using a plug-in with domestic strength SSL:
Contact BEA Customer Support.
Follow the instructions in the enclosed readme to extract and apply the updated
components.
· For WebLogic Server and Express 6.1, 7.0, and 8.1, using the WebLogic proxy plugin on
supported Microsoft NT platforms, that is
Apache HTTP Server on Microsoft NT or Microsoft Windows 2000:
or
Microsoft Internet Information Services on Microsoft NT or Microsoft Windows 2000:
For customers using a plug-in with export strength SSL:
Download
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
For customers using a plug-in with domestic strength SSL:
Contact BEA Customer Support.
Follow the instructions in the enclosed readme to extract and apply the updated
components.
The vendor reports that the fix will be included in the versions of the plug-ins that will
be distributed with the following service packs:
* WebLogic Server 6.1 Service Pack 6
* WebLogic Server 7.0 Service Pack 5
* WebLogic Server 8.1 Service Pack 2
|
|
Go to the Top of This SecurityTracker Archive Page
|
