Preemptive Protection against Oracle WebLogic Server Apache Connector HTTP Version String Buffer Vulnerability

Overview
Details
Protection

Check Point Reference:	CPAI-2008-111
Date Published:
Severity:
Last Updated:
Source:	Secunia Advisory: SA31146
Industry Reference(s):	CVE-2008-3257
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55 VSX NGX NGX R65 InterSpect NGX Connectra NGX R62 NGX R61 IPS-1 IPS-1 IPS-1 NGX R65
Who is Vulnerable? Oracle BEA WebLogic Server 5.x Oracle BEA WebLogic Server 6.x Oracle BEA WebLogic Server 7.x Oracle BEA WebLogic Server 8.x Oracle BEA WebLogic Server 9.x Oracle BEA WebLogic Server 10.x
Vulnerability Description A string buffer overflow vulnerability has been reported in Oracle (BEA) WebLogic Server Apache Connector. BEA WebLogic Server is a Java Application Server platform that supports various databases including Oracle. A remote attacker may exploit this vulnerability to execute arbitrary code on a vulnerable system.

Vulnerability Details
The vulnerability is due to a boundary error in the Apache connector. An attacker can exploit this issue by specially crafting an overly long POST request and sending it to the target host. Successful exploitation of this vulnerability may cause a stack-based buffer overflow, allowing the attacker to execute arbitrary code on the target system.

Protection Overview

By enabling this protection, SmartDefense will detect and block overly long HTTP requests. No update is required to address this vulnerability except for IPS-1.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
Oracle Security Alert

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4096.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, check the Max Header Value Length box.
3. The header length value should be less than 4096.
4. Install security policy on all modules.

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection > Microsoft Internet Explorer Vulnerabilities > HTTP Format Sizes.
2. In the configuration pane, check the Max URL Length box.
3. The URL length value should be less than 4096.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020004 URL length exceeded allowed maximum length in request

VPN-1 VSX NGX R65

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 VSX NGX

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020004 URL length exceeded allowed maximum length in request

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
3. In the configuration pane, under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4096.
5. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the navigation tree, click Security > Web Intelligence.
2. In the HTTP Protocol Inspection pane click the HTTP Format protection.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW 2, and select the Apache Attacks protection group.
3. Click CVE-2008-3257 Long HTTP Line (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:

Alert Name: www2_apache
Description: cve_2008_3257_alert

Legal Notice for SmartDefense Advisories