Security Advisories and Notifications


Security Advisory: (BEA03-39.00)

From: Oracle Corporation

Minor Subject: Remedies available to prevent Denial of Service

Product(s) Affected: WebLogic Server proxy plug-ins for WebLogic Server and Express

Threat level: High
Any user with knowledge can exploit this vulnerability

Severity: High
When exploited this vulnerability will cause your website to become inaccessible even though WebLogic Server will continue to report good health.

Recently a developer at Jamba! identified a problem that could potentially cause a security vulnerability in certain versions of WebLogic Server and Express. Remedies are available to correct this problem (see section II below). BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following action:

I. Read the following advisory.
II. Apply the suggested action.
III. If you know of any additional users interested in future security advisories, please forward them the registration instructions below.


I. Advisory


This vulnerability can occur when incorrectly formatted URLs are sent to WebLogic Server or Express through a WebLogic Server proxy plug-in. The incorrect URL will cause the proxy plug-in to crash. This has the effect of making the website inaccessible. Sites that do not use the WebLogic Server proxy plug-ins are not affected by this vulnerability. All sites that do use the WebLogic Server proxy plug-ins are vulnerable to this.

The following versions of WebLogic Server and Express are affected by this vulnerability

     · WebLogic Server and Express 6.1, 7.0 and 8.1, using the WebLogic Server proxy plugin for Apache, iPlanet or IIS webservers.

II. SUGGESTED ACTION


Oracle strongly recommends the following course of actions:

· For WebLogic Server and Express 6.1, 7.0, and 8.1, using the WebLogic proxy plugin on supported Unix/Linux platforms, that is

     Apache HTTP Server running on Solaris, HPUX, Linux, AIX, or Tru64 :

     Or

     for iPlanet running on Solaris, HPUX, or AIX:

          For customers using a plug-in with export strength SSL:

               Download and apply the patch #7823372 from OracleMetaLink as per the instructions below:
               • Select the Patches and Updates tab after logging in to OracleMetaLink.
               • Click Simple Search.
               • In the Search By field, select Patch Number from the list.
               • Enter the patch number. The patch number may be different for different product releases and platforms.
               • Select the platform (or choose generic as applicable)
               • Click Go.
               • Click Download to download the patch.

          For customers using a plug-in with domestic strength SSL:

               Contact Oracle Customer Support.

          Follow the instructions in the enclosed readme to extract and apply the updated components.

     The remedy will be available in the versions of the plug-ins distributed with
  • WebLogic Server 6.1 Service Pack 6
  • WebLogic Server 7.0 Service Pack 5
  • WebLogic Server 8.1 Service Pack 2

· For WebLogic Server and Express 6.1, 7.0, and 8.1, using the WebLogic proxy plugin on supported Microsoft NT platforms, that is

     Apache HTTP Server on Microsoft NT or Microsoft Windows 2000:

     or

     Microsoft Internet Information Services on Microsoft NT or Microsoft Windows 2000:

          For customers using a plug-in with export strength SSL:

               Download and apply the patch #7823384 from OracleMetaLink as per the instructions below:
               • Select the Patches and Updates tab after logging in to OracleMetaLink.
               • Click Simple Search.
               • In the Search By field, select Patch Number from the list.
               • Enter the patch number. The patch number may be different for different product releases and platforms.
               • Select the platform (or choose generic as applicable)
               • Click Go.
               • Click Download to download the patch.

          For customers using a plug-in with domestic strength SSL:

               Contact Oracle Customer Support.

          Follow the instructions in the enclosed readme to extract and apply the updated components.

     The remedy will be available in the versions of the plug-ins distributed with
  • WebLogic Server 6.1 Service Pack 6
  • WebLogic Server 7.0 Service Pack 5
  • WebLogic Server 8.1 Service Pack 2


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation