SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic Running SSL Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1010492
SecurityTracker URL:  http://securitytracker.com/id/1010492
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Aug 15 2005
Original Entry Date:  Jun 14 2004
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.1 (including SP2 and SP4)
Description:   A vulnerability was reported in BEA WebLogic Server and Express. A remote user can cause denial of service conditions on systems that use SSL.

BEA reported that a remote user can take certain actions against an SSL-based web application to cause the target server to fail to close the connection. As a result, the target WebLogic Server will eventually run out of sockets and fail to accept new requests, the vendor said.

Impact:   A remote user can cause the target service to crash or stop responding to requests.
Solution:   The vendor has issued a revised patch, replacing the fix described in BEA04-61.00 (which has now been superceded).

For WebLogic Server and WebLogic Express 8.1, upgrade to WebLogic Server and WebLogic Express 8.1 Service Pack 4 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR215121_81sp4.jar

WebLogic Server version 8.1 Service Pack 5 will include this patch.

Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_61.00.jsp (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_61.00.jsp


http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_61.00.jsp

 > Security Advisory: (BEA04-61.00)

 > From: BEA Systems Inc.

 > Minor Subject: A patch is available to prevent Denial of Service attack

 > Product(s) Affected: WebLogic Server and WebLogic Express

 > vulnerability.


BEA reported that a remote user can take certain actions against an SSL-based web 
application to cause the target server to fail to close the connection.  As a result, the 
target WebLogic Server will eventually run out of sockets and fail to accept new requests.

WebLogic Server and WebLogic Express version 8.1 (through SP2) is affected.

The vendor has issued the following fix [quoted]:

     * For WebLogic Server and WebLogic Express 8.1

       Upgrade to WebLogic Server and WebLogic Express 8.1 Service Pack 2 and apply the patch:
       ftp://ftpna.beasys.com/pub/releases/security/CR133071_81sp2.jar

       WebLogic Server version 8.1 Service Pack 3 will include the functionality in this 
patch.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC