[Micronet] Attacks on Oracle Application Servers

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[Micronet] Attacks on Oracle Application Servers

John Ives
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Everyone,

Recently there has been an upswing in the number of attacks we have seen
coming in against the Oracle BEA WebLogic Server Plug-in Certificate
vulnerability discovered by Secunia Research in April of 2009.  At this
time, I can only speculate about the cause of this upswing (perhaps
there is a new tool out there that can exploit this easily or a botnet
that has recently had this capability added), but I wanted to take this
opportunity to remind everyone about the need to patch services other
than just the base OS services, particularly those like Oracle or
Apache, which are network facing.

Yours,

John Ives

- --
- -------------------------------------------------------------------------
John Ives                                           Phone (510) 642-7773
System & Network Security     Cell (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMBpAdAAoJEJkidK6qbyws1dsH/1Ldy6muH1c+SxqbLsiPoN5E
EmP645Xv3rzoGf/wtsO4JK345Ym9KExPuk4a5jJ6fEKRYx/Snsfop7Tv3mUwd6e4
sGqfW3nE1vlye9mfC6nXpAYEDCdyPUGyQ2QqGFJIfWJkzjvnZq/FuqCql4ZtbDD+
E09XciyRim5x6lz6WJIstTHnrQm7eslwVgpydEZy1yG/YA9LNWYdIMs3Qwk27ytO
OVT5PvuCuCfWy0C/O/127ikcotDIrc2QytSZZgbOXErAqfgFRNuVb5Yc8+kOgcWy
J41Q9bUR0bIUXZa2RBtRStOP37m2VVu1GWCkd6jc56d+dJ1mr0MXWRxWsClFAdo=
=i9d1
-----END PGP SIGNATURE-----

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.
Reply | Threaded
Open this post in threaded view
|

Re: [Micronet] Attacks on Oracle Application Servers

Jake -F Harwood
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

this _may_ relate,

Oracle Security Alert for CVE-2010-0073
Description

This Security Alert addresses security issue CVE-2010-0073, a
vulnerability in the Node Manager component of Oracle WebLogic Server.
This vulnerability may be remotely exploitable without authentication,
i.e. it may be exploited over a network without the need for a username
and password. A knowledgeable and malicious remote user can exploit this
vulnerability which can result in impacting the availability, integrity
and confidentiality of the targeted system.

Supported and Affected Products

? Oracle WebLogic Server 11gR1 releases (10.3.1 and 10.3.2)
? Oracle WebLogic Server 10gR3 release (10.3.0)
? Oracle WebLogic Server 10.0 through MP2
? Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
? Oracle WebLogic Server 8.1 through SP6
? Oracle WebLogic Server 7.0 through SP7

Patch Availability

Patches and relevant information for protection against this
vulnerability can be found at:

  https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1058764.1

Oracle strongly recommends that the fix for this vulnerability be
applied as soon as possible.

Oracle also strongly recommends that you backup and comprehensively test
the stability of your system upon application of any patch or workaround
prior to deleting any of the original file(s) that are replaced by a
patch or workaround.

It is also strongly recommended that customers apply January 2010 and
earlier Critical Patch Updates. Oracle WebLogic Server Critical Patch
Update patches are cumulative at sub-component level (e.g. WLS console,
Web application, Node Manager are sub-components). The January 2010
Critical Patch Update patches include all the security fixes released
since the July 2009 Critical Patch Update. The patches in January 2010
Critical Patch Update do not include all the earlier advisories prior to
July 2009 Critical Patch Update (unless otherwise noted). So, WebLogic
Server customers should refer to Previous Security Advisories to
identify previous security fixes they want to apply.


On 6/2/2010 10:08 AM, John Ives wrote:

> Everyone,
>
> Recently there has been an upswing in the number of attacks we have seen
> coming in against the Oracle BEA WebLogic Server Plug-in Certificate
> vulnerability discovered by Secunia Research in April of 2009.  At this
> time, I can only speculate about the cause of this upswing (perhaps
> there is a new tool out there that can exploit this easily or a botnet
> that has recently had this capability added), but I wanted to take this
> opportunity to remind everyone about the need to patch services other
> than just the base OS services, particularly those like Oracle or
> Apache, which are network facing.
>
> Yours,
>
> John Ives
>

- -------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or
unsubscribe from its mailing list and how to find out about upcoming
meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable,
and the list's archives can be browsed and searched on the Internet.
This means these messages can be viewed by (among others) your bosses,
prospective employers, and people who have known you in the past.


- --
- -----------------------------------------------------------------------
Jake-F Harwood     Systems and Network Security, IST
SNS Security     University of California, Berkeley

                                          Phone(510)643-8241
                                          Cell (510)390-2580
                                  Home (510)758-7512 (use at own risk)

   "Who is this General Failure and why is he reading my hard drive?" -F
        https://security.berkeley.edu/PGPkeys/PGPkeyJHarwood.txt
- -
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMBpVIAAoJECIJRNHUFoUur+gH/2TCqiXuI6J11937HwYlPnXr
YIUHdV+th8Jk3BY1X42s2XR1IHDFIQzo6eT7EJl071dJDmyYaWEH7GC8xDA3oUL+
YiX/2vDMeJmtE3+raporHZGPROk+9lvpNrmgl5fr5Aoi2MWled0KQdoMKn2YJ4hZ
KZ9Xg524efid83f7LEwtySCViyziAJcbu3oWGinXa0SJPSMxXtWRi3qbSApAaMxo
ypsq5Nbv8z35Rn0dcRnDCowVuzqmZE+v3LBKjnnYiwgQQwICvaLCrP0yuygRoc1b
nesPnDQtEjmVqu9ERJulq+QGDc6gU7fAUPZO7rHAAMvivxzf/76ULt3fGl079kc=
=Qi5z
-----END PGP SIGNATURE-----

 
-------------------------------------------------------------------------
The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:

http://micronet.berkeley.edu

Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.