Cenzic Research Lab Names Top Five Critical Web Application Vulnerabilities for October

Market Wire, November, 2005

Cenzic's Intelligent Analysis (CIA) research lab today named the top five most serious web application vulnerabilities for the month of October. CIA specializes in the continuous research of application vulnerabilities and the development of remediation strategies to assist customers with their web application security needs in enterprise environments.

Cenzic has identified and analyzed the most serious vulnerabilities announced by vendors and other third parties in October. The company's top five includes vulnerabilities in many of today's most widely used business platforms, including Weblogic, Oracle, PHP, Sun Java Application Server and Apache.

Under the auspice of CIA, Cenzic evaluates a wide range of newly discovered application vulnerabilities and prioritizes them based on their severity and potential to impact regulatory compliance, internal policy compliance, information privacy and financial losses. This information is released on a monthly or bi-monthly basis and can be used by enterprises as a first step in addressing the security of custom and commercial web applications.

The CIA team analyzed all web application security vulnerabilities discovered in October, and selected the following for their severity and potential threat to common, widely used software and business environments:

1. Multiple Vulnerabilities Discovered in BEA Weblogic Server

[CIA-1032-Alert]
http://www.cenzic.com/cia_research/alerts/bea_weblogic-alerts.php

Multiple vulnerabilities were discovered in the BEA Weblogic server that permit denial of service, cross-site scripting, and privilege elevation attacks. BEA issued 22 separate advisories relating to the Weblogic server platform. Among these advisories are various vulnerability types, including weak SSL encryption being used under certain circumstances, denial of service causing server threads to hang, privilege elevation attacks, cross-site scripting, buffer overflows, unauthorized file access and information disclosure, unauthorized access to servlets, and the disclosure of system or user passwords.

Enterprises should consult in the individual advisories to determine if their platform is affected. BEA Weblogic server versions 6.1 SP7, 7.0 SP6, 8.1 SP4, 9.0, and others, are known to be affected by one or more of the advisories.

Enterprises with affected sites should apply the appropriate BEA patches for their server.

2. Sun Java System Application May Disclose Source Code of JSP to Remote Users

[CIA-1033-Alert]
http://www.cenzic.com/cia_research/alerts/sunjava_system-alerts.php

An unspecified vulnerability in the following Sun Java Application Server platforms may allow unauthorized users to access the source code of Java Server pages:

--  Standard Edition 7 2004Q2 Update 2 and earlier
--  Standard Edition 7 Update 6 and earlier
--  Enterprise Edition 7 2004Q2 Update 2 and earlier
--  Platform Edition 7 Update 6 and earlier
    

A disclosure of Java Server Pages source code may allow an attacker to perpetrate theft of proprietary information and/or infer vulnerabilities in the application itself.

Affected sites should apply the vendor supplied fix. Additional information is available at: http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-101910-1

3. Multiple Vulnerabilities Found in Oracle Database and Application Server

[CIA-1034-Alert]
http://www.cenzic.com/cia_research/alerts/oracle_database-alerts.php

Multiple vulnerabilities in the Oracle Database and Oracle Application server may allow an attacker to compromise the confidentiality and integrity of data, or conduct denial of service attacks. Versions 8, 8i, 9i, 10g of the Oracle Database Server and Oracle Application server are affected by multiple vulnerabilities, some classified as having a wide impact.

Enterprises can address this vulnerability by applying the appropriate security patches discussed in the Critical Patch Update Advisory for October 2005, found at: www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html

4. Apache Denial of Service via Memory Leak in MPM 'worker.c'

[CIA-1035-Alert]
http://www.cenzic.com/cia_research/alerts/apache_denial-alerts.php

A memory leak in the Apache worker MPM (Multi-Processing Module) may allow an attacker to cause excess system resource consumption by aborting connections. Memory reserved for the connection request is improperly freed for use by other processes, resulting in the eventual inability for the server to handle incoming requests. The vulnerability also affects the IBM HTTP Server which is based on the Apache codebase.

Enterprises can address this vulnerability by applying the appropriate patches provided at the following links:

Apache SVN security Fix:
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.2.x/server/mpm/worker/worker.c

IBM HTTP Security Fix:
http://www-1.ibm.com/support/docview.wss?rs=0&uid=swg24010709

5. Multiple Vulnerabilities Found in PHP Allow Unauthorized Access to Servers

[CIA-1036-Alert]
http://www.cenzic.com/cia_research/alerts/php_multiple-alerts.php