Published:2008/07/18  Last Updated:2008/07/18

JVN#81667751
Directory traversal vulnerability in WebLogic Server and WebLogic Express plug-ins

Overview

WebLogic Server and WebLogic Express are application servers provided by Oracle (formerly BEA Systems, Inc.).
Plug-ins included in WebLogic Server and WebLogic Express contain a directory traversal vulnerability.

Products Affected

Following plug-ins included in WebLogic Sever and WebLogic Express before 2008 July 15.

  • Plug-in for Apache
  • Plug-in for NSAPI(Netscape Server Application Program Interface)
  • Plug-in for ISAPI(Internet Server Application Program Interface)
For more information, refer to the vendor's website.

Description

WebLogic Server and WebLogic Express are application servers based on Java Platform Enterprise Edition 5 (JavaEE5) and provided by Oracle (formerly BEA Systems, Inc.). Plug-ins for Apache, Sun, and Microsoft IIS web servers which are included in WebLogic Server and WebLogic Express contain a directory traversal vulnerability.

Impact

A remote attacker could, without authentication, view files on the server where either WebLogic Server or WebLogic Express is installed. This could lead to unintentional disclosure of file contents.

Solution

Update the Software
Apply the latest update provided by the vendor.
For more information, refer to the vendor's website.

Vendor Status

Vendor Link
Oracle Security Advisory (CVE-2008-2579)
Security Advisories and Notifications
Oracle Critical Patch Update Advisory - July 2008
Oracle and BEA
Security Advisories and Notifications
Support for BEA Products

References

JPCERT/CC Addendum

Due to the acquisition of BEA Systems, Inc. by Oracle on 2008 April 29, any security related information of BEA products will be included in Oracle Critical Patch Updates. For more information, please refer to the following pages.

Vulnerability Analysis by JPCERT/CC

Analyzed on 2008.07.18

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures

Credit

Hirofumi Oka of NRI SecureTechnologies,Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2008-2579
JVN iPedia JVNDB-2008-000040

Update History