Alert_CVE-2008-3257

PRODUCTS

Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

TECHNOLOGIES

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Technologies A-Z

ARCHITECTURE

Enterprise Architecture
Enterprise 2.0
Grid
Service-Oriented Architecture
Virtualization

COMMUNITY

Join OTN
Oracle ACEs
Oracle Mix
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

Printer View

E-mail this page

Bookmark

Alert_CVE-2008-3257

Oracle Security Alert for CVE-2008-3257

Description

This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability with resulting availability, integrity and confidentiality impact.

Supported Products and Components Affected

• Oracle WebLogic Server 10.0 released through MP1
• Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3
• Oracle WebLogic Server 8.1 released through SP6
• Oracle WebLogic Server 7.0 released through SP7
• Oracle WebLogic Server 6.1 released through SP7

Patch Availability

Patches for this vulnerability can be found at the following:

http://www.oracle.com/technology/deploy/security/wls-security/2793.html

Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.

Risk Matrix

Vuln#	Component	Protocol	Package and/or Privilege Required	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Last Affected Patch set (per Supported Release)
Vuln#	Component	Protocol	Package and/or Privilege Required	Remote Exploit without Auth.?	Base Score	Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability	Last Affected Patch set (per Supported Release)
CVE-2008-3257	WebLogic Server Plugin for Apache	HTTP	Apache	Yes	10.0	Network	Low	None	Complete	Complete	Complete	10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, 6.1 SP7

Workarounds

Oracle recommends that patches be applied rather than workarounds. Workarounds published by Oracle before patches were made available can be found at:

http://www.oracle.com/technology/deploy/security/wls-security/2793.html

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
Software Error Correction Support Policy [MetaLink Note 209768.1 ]
Security Advisories Notifications for BEA products [BEA Security Advisories ]

Modification History

05-March-2009	Modification to BEA links so that they point to archived advisory pages on OTN.
04-August-2008	Modification to note that patches are now available for this vulnerability.
28-July-2008	Initial release

E-mail this page

Printer View

	About Oracle \| \| Careers \| Contact Us \| Site Maps \| Legal Notices \| Terms of Use \| Privacy