Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Oracle BEA WebLogic Server Apache Connector Buffer Overflow Vulnerability

Subscribe

Check Point Reference: CPAI-2008-160
Date Published:
Severity:
Last Updated:
Source: FrSIRT/ADV-2008-2825
Industry Reference(s): CVE-2008-4008
Protection Provided by: VPN-1
  • NGX R65
  • NGX R62
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55
VSX
  • NGX
  • NGX R65
InterSpect
  • NGX
Connectra
  • NGX R62
  • NGX R61
IPS-1
  • IPS-1
  • IPS-1 NGX R65
Who is Vulnerable?
Vulnerability Description
A buffer overflow vulnerability has been reported in Oracle (BEA) WebLogic Server Apache Connector. BEA WebLogic Server is a Java Application Server platform that supports various databases including Oracle. A remote attacker may exploit this vulnerability to execute arbitrary code on a vulnerable system.
Update/Patch Available
Apply patch:
Oracle
Vulnerability Details
The vulnerability is due to a boundary error in the Apache connector. An attacker can exploit this issue by specially crafting an overly long request and sending it to the target host. Successful exploitation of this vulnerability may cause a buffer overflow, allowing the attacker to execute arbitrary code on the target system.

Protection Overview
By enabling this protection, SmartDefense will detect and block overly long HTTP requests send to the vulnerable host. No update is required to address this vulnerability

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
Oracle Advisory

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4069.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, check the Max Header Value Length box.
3. The header length value should be less than 4069.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 NG with Application Intelligence R55

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection > Microsoft Internet Explorer Vulnerabilities > HTTP Format Sizes.
2. In the configuration pane, check the Max HTTP header length box.
3. The URL length value should be less than 4069.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > HTTP Format Sizes.
2. In the configuration pane, under Settings > Mode, check Active.
3. Under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4069.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web > HTTP Protocol Inspection > Microsoft Internet Explorer Vulnerabilities > HTTP Format Sizes.
2. In the configuration pane, check the Max HTTP header length box.
3. The URL length value should be less than 4069.
4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click HTTP Protocol Inspection > HTTP Format Sizes.
3. In the configuration pane, under Format Sizes Configuration, check the Max Header Value Length box.
4. The header length value should be less than 4069.
5. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the navigation tree, click Security > Web Intelligence.
2. In the HTTP Protocol Inspection pane click the HTTP Format protection.
3. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: HTTP Format Sizes
Attack Information: WSE0020003 header length exceeded maximum allowed length in request

IPS-1 & IPS-1 NGX R65

How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Web Intelligence > WWW2, and select the Apache Attacks protection group
3. Click CVE-2008-4008 Long Transfer-Encoding line (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Alert Name: Attacks against Apache web servers
Description: CVE-2008-4008 Long Transfer-Encoding line