WebLogic Apache Connector Vulnerability

October 30, 2008

Oracle BEA WebLogic Server is a multi-tier Java Application Server platform. In a two and three-tier application architecture, a web server is used to receive forms or HTTP requests, then pass them to application servers, which perform actual processing. A connector software refers to the component used by web server to communicate with the application server. Oracle BEA WebLogic Server ships with a connector, named mod_wl, for Apache HTTP server.

Normally an HTTP POST request is sent in one stream, unless the HTTP header Transfer-Encoding is specified. A common value of the Transfer-Encoding header is "chunked".

There exists a buffer overflow vulnerability in Oracle BEA WebLogic Server's connector software for Apache HTTP server. Specifically, the vulnerability is due to improper parsing of HTTP Transfer-Encoding headers sent to the Apache Web server. When a Transfer-Encoding header containing unrecognized value is received, the connector software of WebLogic Server copies the header value into a stack buffer of fixed size using a sprintf() function. It has been observed that the vulnerable code does not verify the length of the string before copying it to the buffer.

A remote unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request containing overly long Transfer-Encoding value to the vulnerable WebLogic connector software. Successful exploitation would result in code injection and execution with the privileges of the service, normally "System" on Windows platform.

SonicWALL has released an IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 3596 WEB-ATTACKS Transfer-Encoding HTTP Header BO Attempt