alert cve-2008-3257.html

Oracle Security Alert for CVE-2008-3257

Description

This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability with resulting availability, integrity and confidentiality impact.

Supported Products and Components Affected

• Oracle WebLogic Server 10.0 released through MP1
• Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3
• Oracle WebLogic Server 8.1 released through SP6
• Oracle WebLogic Server 7.0 released through SP7
• Oracle WebLogic Server 6.1 released through SP7

Patch Availability

Patches for this vulnerability can be found at the following:

http://www.oracle.com/technology/deploy/security/wls-security/2793.html

Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.

Risk Matrix

Vuln#	Component	Protocol	Package and/or Privilege Required	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Last Affected Patch set (per Supported Release)
Vuln#	Component	Protocol	Package and/or Privilege Required	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Last Affected Patch set (per Supported Release)
CVE-2008-3257	WebLogic Server Plugin for Apache	HTTP	Apache	Yes	10.0	Network	Low	None	Complete	Complete	Complete	10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, 6.1 SP7

Workarounds

Oracle recommends that patches be applied rather than workarounds. Workarounds published by Oracle before patches were made available can be found at:

http://www.oracle.com/technology/deploy/security/wls-security/2793.html

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
Software Error Correction Support Policy [ MetaLink Note 209768.1 ]
Security Advisories Notifications for BEA products [ BEA Security Advisories ]

Modification History

05-March-2009	Modification to BEA links so that they point to archived advisory pages on OTN.
04-August-2008	Modification to note that patches are now available for this vulnerability.
28-July-2008	Initial release

E-mail this page

Printer View

Oracle Cloud

Java

Customer and Events

Communities

Services and Store

Log In to My Oracle Support
Training and Certification
Become a Partner
Find a Partner Solution
Purchase from the Oracle Store
Contact and Chat
Global Contacts
Oracle Support
Phone: 800-633-0738

Products and Services

Solutions

Downloads

Store

Support

Training

Partners

About

Oracle Technology Network