Pete Finnigan's Oracle Security Weblog

Oracle released their first security alert in three years outside of the Oracle Critical Patch Update (CPU) process on the 28th July. An unknown German (according to Alex's blog he is German) hacker calling himself Kingcope has released a 0-day exploit for Apache for the BEA Weblogic plug-in for Apache. The BEA Weblogic site has an advisory titled "Security Advisories and Notifications" which describes the issue. The exploit has a CVSS rating of 10.0 which makes it a high risk issue. It is a Denial of service attack and no authentication is required. The advisory from BEA (Now Oracle) advises a workaround of adding the line:

LimitRequestLine 4000

To the httpd.conf file and restarting Apache. If URL's have to be longer than 4000 bytes then mod_security can also be considered.

Eric Maurice has also released a note on his blog titled "Security Alert for CVE-2008-3257 Released" with more details. Oracle's own advisory is titled "Oracle Security Alert for CVE-2008-3257". There is also a news item over on E-Week Oracle Sounds Alert Over Unpatched WebLogic Server Flaw:

"Hackers have released exploit codes for an unpatched flaw affecting the Apache plug-in for Oracle's WebLogic Server. While Oracle prepares a patch for the vulnerability, it has provided information on workarounds to help ensure enterprise security.


Oracle officials are issuing a red alert regarding a flaw affecting the Apache plug-in for Oracle WebLogic after exploit codes for the vulnerability were posted in public forums."