Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2010

Help Centre

Reporting Channels

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2009

MA-156.042009: MyCERT Alert - Oracle BEA WebLogic Products Multiple Vulnerabilities

1.0 Introduction

A few vulnerabilities have been reported in Oracle BEA WebLogic products. The impacts of these vulnerabilities include information disclosure, remote execution of arbitrary code and denial of service.

Below is the list of vulnerabilities found in Oracle BEA WebLogic products:

1. Insufficient validation of HTTP requests by the WebLogic Server Plugins can be exploited to cause a heap-based buffer overflow via a specially crafted HTTP request.
This vulnerability is confirmed in WebLogic Server Plugins version 1.0.1166819 and reportedly affects the following products and versions:
Oracle WebLogic Server 10.3
Oracle WebLogic Server 10.0 released through MP1
Oracle WebLogic Server 9.2 released through MP3
Oracle WebLogic Server 9.1
Oracle WebLogic Server 9.0
Oracle WebLogic Server 8.1 released through SP6
Oracle WebLogic Server 7.0 released through SP7
2. A boundary error in the WebLogic Server Plugins when parsing SSL certificates can be exploited to cause a stack-based buffer overflow.
This vulnerability is confirmed in WebLogic Server Plugins version 1.0.1166819 and reportedly affects the following products and versions:
Oracle WebLogic Server 10.3
Oracle WebLogic Server 10.0 released through MP1
Oracle WebLogic Server 9.2 released through MP3
Oracle WebLogic Server 9.1
Oracle WebLogic Server 9.0
Oracle WebLogic Server 8.1 released through SP6
Oracle WebLogic Server 7.0 released through SP7
3. An unspecified error in WebLogic Server can be exploited to potentially compromise a vulnerable system.
This vulnerability is reported in the following products and versions:
Oracle WebLogic Server 10.3, on all platforms
Oracle WebLogic Server 10.0 released through Maintenance Pack 1 on all platforms
Oracle WebLogic Server 9.2 released through Maintenance Pack 3 on all platforms
Oracle WebLogic Server 9.1 on all platforms
Oracle WebLogic Server 9.0 on all platforms
Oracle WebLogic Server 8.1 released through Service Pack 6, on all platforms
Oracle WebLogic Server 7.0 released through Service Pack 7, on all platforms
4. An unspecified error in WebLogic Server can be exploited to disclose the source code of web pages.
This vulnerability is reported in the following products and versions:
Oracle WebLogic Server 10.3, on all platforms
Oracle WebLogic Server 10.0 released through Maintenance Pack 1 on all platforms
Oracle WebLogic Server 9.2 released through Maintenance Pack 3 on all platforms
Oracle WebLogic Server 9.1 on all platforms
Oracle WebLogic Server 9.0 on all platforms
5. An unspecified security issue exists in WebLogic Server web services security. No further information is currently available.
This security issue is reported in the following products and versions:
Oracle WebLogic Server 10.3, on all platforms
6. Some vulnerabilities exist in JRockit, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system.
These vulnerabilities affect the following products and versions:
JRockit R27.6.2 and earlier, SDK and JRE 1.4.2
JRockit R27.6.2 and earlier, JRE and JDK 5.0
JRockit R27.6.2 and earlier, JRE and JDK 6
7. An unspecified error in Oracle Data Service Integrator and AquaLogic Data Services Platform can be exploited to gain escalated privileges.
This vulnerability is reported in the following products and platforms:
AquaLogic Oracle Data Service Integrator 10.3.0, on all platforms
AquaLogic Data Services Platform 3.2, on all platforms
AquaLogic Data Services Platform 3.0.1, on all platforms
AquaLogic Data Services Platform 3.0, on all platforms

2.0 Impact

Below are the impacts of the vulnerabilities. Please take note that the vulnerabilities ware labeled with numbers according to the vulnerability list in the introduction section.

Successful exploitation of vulnerability 1, 2 and 3 may allow execution of arbitrary code.
Exploitation of vulnerability 4 may leads to disclose the source code of web pages.
Vulnerability 6 can be exploited to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system.
Successful exploitation of vulnerability 7 may leads to privilege escalation.

3.0 Affected Products

Below is the details list of vulnerable version:

BEA JRockit 1.x
BEA WebLogic Server 10.x
BEA WebLogic Server 7.x
BEA WebLogic Server 8.x
BEA WebLogic Server 9.x
Oracle AquaLogic Data Service Integrator 10.x
Oracle AquaLogic Data Services Platform 3.x

4.0 Recommendation

MyCERT strongly advice system or security administrator to apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009 at the following URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

5.0 References