Oracle Security Alert for CVE-2008-3257


This Security Alert addresses the security issue CVE-2008-3257, a vulnerability in the Apache Connector component (mod_weblogic) of the Oracle Weblogic Server (formerly BEA WebLogic Server). This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability with resulting availability, integrity and confidentiality impact.

Supported Products and Components Affected

• Oracle WebLogic Server 10.0 released through MP1     
• Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3     
• Oracle WebLogic Server 8.1 released through SP6     
• Oracle WebLogic Server 7.0 released through SP7     
• Oracle WebLogic Server 6.1 released through SP7     

Patch Availability

Patches for this vulnerability can be found at the following:

Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.

Risk Matrix

Vuln# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Last Affected Patch set (per Supported Release)
Base Score Access Vector Access Complexity Authentication Confidentiality Integrity Availability
CVE-2008-3257 WebLogic Server Plugin for Apache HTTP Apache Yes 10.0 Network Low None Complete Complete Complete 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, 7.0 SP7, 6.1 SP7


Oracle recommends that patches be applied rather than workarounds.  Workarounds published by Oracle before patches were made available can be found at:


Modification History

05-March-2009 Modification to BEA links so that they point to archived advisory pages on OTN.
04-August-2008 Modification to note that patches are now available for this vulnerability.
28-July-2008 Initial release