Oracle WebLogic Server IIS Connector JSESSIONID buffer overflow

Added: 04/10/2009
CVE: CVE-2008-5457
BID: 33177

Background

Oracle WebLogic Server (formerly BEA WebLogic Server) is a Java web application platform.

Problem

A buffer overflow vulnerability in the WebLogic IIS connector allows remote attackers to execute arbitrary commands by sending a long, specially crafted JSESSIONID parameter to the server.

Resolution

Apply patch 7825169 as instructed in the Oracle Security Advisory.

References

http://www.oracle.com/technology/deploy/security/wls-security/2809.html

Limitations

Exploit works on Oracle WebLogic 10.0 IIS connector on Windows 2000.

Platforms

Windows 2000

Back to exploit index