HighBlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects a stack-based overflow in an HTTP application server.
High
BlackICE PC Protection: 3.6crh, RealSecure Server Sensor: XPU 28.140, RealSecure Network: XPU 28.140, Proventia-G 1.1 and earlier: XPU 28.140, Proventia Network MFS: XPU 28.140, Proventia Network IDS: XPU 28.140, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.300.2280, IBM Security Server Protection for Windows: 1.0.914.2280, BlackICE Server Protection: 3.6.crh, Proventia Desktop: 2280, Proventia Network IPS: XPU 28.140, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.140
Oracle WebLogic Server: 6.1 SP1, Oracle WebLogic Server: 6.1 SP2, Oracle WebLogic Server: 6.1, Oracle WebLogic Server: 7.0, Oracle WebLogic Server: 7.0 SP4, Oracle WebLogic Server: 7.0 SP5, Oracle WebLogic Server: 8.1, Oracle WebLogic Server: 8.1 SP1, Oracle WebLogic Server: 9.0, Oracle WebLogic Server: 7.0 SP6, Oracle WebLogic Server: 9.1, Oracle WebLogic Server: 8.1 SP6, Oracle WebLogic Server: 7.0 SP7, Oracle WebLogic Server: 10.0, Oracle WebLogic Server: 10.0 MP1, Oracle WebLogic Server: 6.1 SP3, Oracle WebLogic Server: 6.1 SP4, Oracle WebLogic Server: 6.1 SP5, Oracle WebLogic Server: 6.1 SP6, Oracle WebLogic Server: 6.1 SP7, Oracle WebLogic Server: 8.1 SP2, Oracle WebLogic Server: 8.1 SP3, Oracle WebLogic Server: 8.1 SP4, Oracle WebLogic Server: 8.1 SP5, Oracle WebLogic Server: 9.2, Oracle WebLogic Server: 9.2 MP1, Oracle WebLogic Server: 9.2 MP2, Oracle WebLogic Server: 9.2 MP3, Oracle WebLogic Server: 10.3, Oracle WebLogic Server: 7.0 SP1, Oracle WebLogic Server: 7.0 SP2, Oracle WebLogic Server: 7.0 SP3
Unauthorized Access Attempt
Oracle WebLogic Server (formerly known as BEA WebLogic Server) is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.
Refer to Oracle SECURITY ADVISORY (CVE-2008-4008) for patch, upgrade, or suggested workaround information. See References.
IBM Internet Security Systems Protection Advisory, October 14, 2008
Oracle WebLogic Server Apache Connector Remote Code Execution
http://www.iss.net/threats/304.html
Oracle Critical Patch Update - October 2008
Oracle Critical Patch Update Advisory - October 2008
http://www.oracle.com/technetwork/topics/security/cpuoct2008-100482.html
Oracle SECURITY ADVISORY (CVE-2008-4008)
Security vulnerability in WebLogic plug-in for Apache
https://support.bea.com/application_content/product_portlets/securityadvisories/2806.html
iDefense Labs PUBLIC ADVISORY: 10.29.08
Oracle WebLogic Apache Connector
https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=751
ISS X-Force
Oracle WebLogic Apache Connector buffer overflow
http://www.iss.net/security_center/static/44435.php
CVE
CVE-2008-4008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4008