BEA WebLogic Running SSL Can Be Crashed By Remote Users - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > Oracle WebLogic

Vendors: BEA Systems

BEA WebLogic Running SSL Can Be Crashed By Remote Users

SecurityTracker Alert ID: 1010492

SecurityTracker URL: http://securitytracker.com/id/1010492

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Updated: Aug 15 2005

Original Entry Date: Jun 14 2004

Impact: Denial of service via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 8.1 (including SP2 and SP4)

Description: A vulnerability was reported in BEA WebLogic Server and Express. A remote user can cause denial of service conditions on systems that use SSL.

BEA reported that a remote user can take certain actions against an SSL-based web application to cause the target server to fail to close the connection. As a result, the target WebLogic Server will eventually run out of sockets and fail to accept new requests, the vendor said.

Impact: A remote user can cause the target service to crash or stop responding to requests.

Solution: The vendor has issued a revised patch, replacing the fix described in BEA04-61.00 (which has now been superceded).

For WebLogic Server and WebLogic Express 8.1, upgrade to WebLogic Server and WebLogic Express 8.1 Service Pack 4 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR215121_81sp4.jar

WebLogic Server version 8.1 Service Pack 5 will include this patch.

Vendor URL: dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_61.00.jsp (Links to External Site)

Cause: State error

Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History: None.

Source Message Contents

Date: Mon, 14 Jun 2004 18:58:58 -0400
Subject: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_61.00.jsp


http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_61.00.jsp

 > Security Advisory: (BEA04-61.00)

 > From: BEA Systems Inc.

 > Minor Subject: A patch is available to prevent Denial of Service attack

 > Product(s) Affected: WebLogic Server and WebLogic Express

 > Threat level: High – Any user with HTTPS access to a Web application can exploit this
 > vulnerability.

 > Severity: High – WebLogic Server can crash or stop responding to requests

BEA reported that a remote user can take certain actions against an SSL-based web 
application to cause the target server to fail to close the connection.  As a result, the 
target WebLogic Server will eventually run out of sockets and fail to accept new requests.

WebLogic Server and WebLogic Express version 8.1 (through SP2) is affected.

The vendor has issued the following fix [quoted]:

     * For WebLogic Server and WebLogic Express 8.1

       Upgrade to WebLogic Server and WebLogic Express 8.1 Service Pack 2 and apply the patch:
       ftp://ftpna.beasys.com/pub/releases/security/CR133071_81sp2.jar

       WebLogic Server version 8.1 Service Pack 3 will include the functionality in this 
patch.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC