Researchers Uncover BEA Weblogic Apache Vulnerability
Security researchers have reported a serious vulnerability in a handful of BEA Weblogic Server products that could be targeted in DoS attacks.
Ranked by researchers at Secunia as "highly critical," the fourth most serious rating of its five-level scale, the Weblogic vulnerability is related to a boundary error within the software's Apache connector and could be exploited to cause a stack-based buffer overflows, the researchers said.
Secunia credited an independent researcher, KingCope, as the initial party to discover the problem. According to the research firm, BEA has been notified about the issue but has yet to issue a related patch.
An attacker could potentially assail the flaw via the submission of an overly long, specially crafted POST request, which could allow execution of arbitrary code, leading to a DoS scenario, Secunia said.
Affected versions of Weblogic Server, an applications server package, include all iterations of the product between the 5.0 and 10.0 releases.
Secunia recommended that organizations affected by the Weblogic vulnerability should immediately restrict network access to the vulnerable system.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.