Oracle Fusion Middleware contains a flaw related to the Oracle WebLogic Server component. The component fails to properly associate renegotiation handshakes with an existing connection, allowing a man-in-the-middle attacker to insert data into HTTPS sessions, and possibly other sessions which are protected by TLS or SSL. The issue is triggered when a remote attacker sends an unauthenticated request which is processed retroactively by the server in a post-renegotiation context, related to a plaintext injection attack.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

• Related OSVDB ID: 71952 71953 71954 71955 71956 71957 71958 71959
• CVE ID: 2009-3555 (see also: NVD)
• Secunia Advisory ID: 44260 49035 49966 51766
• Vendor Specific News/Changelog Entry: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03298151
  http://www.gentoo.org/security/en/glsa/glsa-201301-01.xml
• Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03405642
  http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2012-11-767
• Packet Storm: http://packetstormsecurity.org/files/111920/HP-Security-Bulletin-HPSBOV02762-SSRT100825.html
• Mail List Post: http://seclists.org/bugtraq/2012/Apr/114
• News Article: http://www.computerworld.com/s/article/9215838/Oracle_to_fix_73_security_bugs_next_week
• Vendor Specific Solution URL: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html

• Not Available