WebLogic Apache Connector Vulnerability (Oct 30, 2008)


Oracle BEA WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle BEA WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

Normally an HTTP POST request is sent in one stream, unless the HTTP header Transfer-Encoding is specified. A common value of the Transfer-Encoding header is “chunked”.

There exists a buffer overflow vulnerability in Oracle BEA WebLogic Server’s connector software for Apache HTTP server. Specifically, the vulnerability is due to improper parsing of HTTP Transfer-Encoding headers sent to the Apache Web server. When a Transfer-Encoding header containing unrecognized value is received, the connector software of WebLogic Server copies the header value into a stack buffer of fixed size using a sprintf() function. It has been observed that the vulnerable code does not verify the length of the string before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request containing overly long Transfer-Encoding value to the vulnerable WebLogic connector software. Successful exploitation would result in code injection and execution with the privileges of the service, normally “System” on Windows platform.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 3596 WEB-ATTACKS Transfer-Encoding HTTP Header BO Attempt
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.