cbcvebase.
CVE-2008-5457
published 2009-01-14

CVE-2008-5457: Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins for Apache, Sun and IIS web servers component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.31%
99.0th percentile
Unspecified vulnerability in the Oracle BEA WebLogic Server Plugins for Apache, Sun and IIS web servers component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

Affected

7 ranges
VendorProductVersion rangeFixed in
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite
oraclebea_product_suite

Detection & IOCsextracted from sources · hover to see the quote

cookieJSESSIONID=<oversized alphanumeric value ~10000 bytes>
commandPOST /index.jsp HTTP/1.1\r\nHost: localhost\r\nCookie: TAGLINE=IAMMCLOVIN; JSESSIONID=<payload>
otherRet: 0x1006c9b5 (jmp esp) - WebLogic module version 1.0.1136334
otherRet: 0x1006c9be (jmp esp) - WebLogic module version 1.0.1150354
path/index.jsp
snort
GID 1, SID 15477
snort
GID 1, SID 15263
  • The exploit targets the JSESSIONID cookie value — monitor for HTTP requests with abnormally large (thousands of bytes) JSESSIONID cookie values sent to WebLogic-proxied endpoints.
  • The vulnerability is only reachable when WebLogic clustering is configured; scope detection to clustered deployments.
  • The IIS connector variant delivers the oversized payload via the URL query string (?;JSESSIONID=) rather than the Cookie header — inspect both locations.
  • Bad characters in the payload are null byte, CR, LF, space, semicolon, equals, and comma — encoded shellcode in JSESSIONID values will avoid these bytes.
  • The Metasploit exploit uses EXITFUNC=seh, indicating SEH-based exploitation; look for SEH chain overwrites in crash analysis of the WebLogic plugin process.
  • The Perl PoC uses a partial SEH overwrite (2-byte value \x76\x79) following a backward JMP sled — this pattern is detectable in raw HTTP body content.
  • ·The vulnerability is only exploitable when WebLogic clustering is configured in the Apache/Sun/IIS plugin; non-clustered deployments are not affected.
  • ·Return addresses (ROP gadgets) in the Metasploit module are version-specific to WebLogic plugin DLL builds 1.0.1136334 and 1.0.1150354 on Windows Apache 2.2; other builds will require different offsets.
  • ·The Perl PoC was tested only on Windows 2000 SP4 and Windows 2003 R2 SP2 without NX; systems with NX/DEP enabled may not be exploitable via this specific technique.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.