| Ãë¾àÁ¡ID |
22517 |
| À§Çèµµ |
30 |
| Æ÷Æ® |
80, ... |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
Servlet |
| »ó¼¼¼³¸í |
¿ø°Ý Oracle WebLogic ¼¹ö¿¡ session fixation Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù. ¿ø°Ý °ø°ÝÀÚ´Â Á¶ÀÛµÈ POST request ¸¦ ÅëÇÏ¿© »ç¿ëÀÚÀÇ ¼¼¼ÇÀ» hijack ÇÒ ¼ö ÀÖ´Ù.
* ¾Ë¸²: ÀÌ Á¡°ËÇ׸ñÀº ÀÌ Ãë¾àÁ¡À» Á¡°ËÇϱâ À§ÇØ ÇØ´ç ¿ø°ÝÁö WebLogic ¼¹öÀÇ ¹öÀü Á¤º¸¸¸À» È®ÀÎÇÑ´Ù. µû¶ó¼ °ÅÁþ ¾ç¼º¹ÝÀÀ(False Positive)À» º¸ÀÏ ¼ö ÀÖ´Ù.
* Âü°í »çÀÌÆ®:
http://malerisch.net/docs/advisories/Oracle_WebLogic_Session_Fixation_Via_HTTP_POST_Request.html
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
Oracle Weblogic Server 10.3.3
Oracle Weblogic Server 10.3.2
Oracle Weblogic Server 10.3.1
Oracle Weblogic Server 9.2.4
Oracle Weblogic Server 9.2 MP3
Oracle Weblogic Server 9.2 MP2
Oracle Weblogic Server 9.2 MP1
Oracle Weblogic Server 9.2
Oracle Weblogic Server 9.1 GA
Oracle Weblogic Server 9.1
Oracle Weblogic Server 9.0 GA
Oracle Weblogic Server 10.3
Oracle Weblogic Server 10.1
Oracle Weblogic Server 10.0 MP2
Oracle Weblogic Server 10.0 MP1
Oracle Weblogic Server 10
¸ðµç ¿î¿µÃ¼Á¦ ¸ðµç ¹öÀü |
| ÇØ°áÃ¥ |
Oracle »ç´Â ÀÌ ¹®Á¦µéÀ» ÇØ°áÇÒ ¼ö ÀÖ´Â Critical Patch Update¸¦ ³» ³õ¾Ò´Ù. ÀûÀýÇÑ ÆÐÄ¡ ȹµæ ¹× Àû¿ë¿¡ °üÇÑ Á¤º¸´Â ´ÙÀ½ 2011³â 1¿ù Oracle Critical Patch Update¿¡¼ ãÀ» ¼ö ÀÖ´Ù:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html |
| °ü·Ã URL |
CVE-2010-4437 (CVE) |
| °ü·Ã URL |
45852 (SecurityFocus) |
| °ü·Ã URL |
(ISS) |
|
