CVE-2004-2424
Description
BEA WebLogic Server 8.1 through SP2 fails to release network ports after HTTPS sessions, allowing remote attackers to cause denial of service via port exhaustion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BEA WebLogic Server 8.1 through SP2 fails to release network ports after HTTPS sessions, allowing remote attackers to cause denial of service via port exhaustion.
Vulnerability
BEA WebLogic Server and WebLogic Express versions 8.1 through 8.1 SP2 contain a flaw where HTTPS sessions do not properly release network ports after the session ends. The exact actions that trigger this behavior are unknown, but the result is that the server holds ports open indefinitely, leading to resource exhaustion [1].
Exploitation
A remote attacker can send crafted HTTPS requests to the server, causing it to retain network ports even after the session terminates. No authentication is required; the attacker only needs network access to the server's HTTPS port. The specific sequence of actions is not publicly documented, but the vulnerability can be triggered by unknown actions within HTTPS sessions [1].
Impact
Successful exploitation leads to a denial of service (DoS) condition as all available network ports are consumed, preventing legitimate clients from establishing new connections. The server becomes unresponsive until ports are freed or the system is restarted [1].
Mitigation
BEA Systems released a fix for this issue; users should upgrade to a version beyond 8.1 SP2. The Secunia advisory (now Flexera) provides details on the patch availability [1]. No workaround is documented, and the vulnerability is not listed on the CISA KEV.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17cpe:2.3:a:bea:weblogic_server:8.1:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:bea:weblogic_server:8.1:*:*:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:*:express:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp1:*:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp1:express:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp1:win32:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp2:*:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp2:express:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp2:win32:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp3:*:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp3:express:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp3:win32:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp4:*:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp4:express:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:sp4:win32:*:*:*:*:*
- cpe:2.3:a:bea:weblogic_server:8.1:*:win32:*:*:*:*:*
- (no CPE)range: 8.1 through 8.1 SP2
- Range: 8.1 through 8.1 SP2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- dev2dev.bea.com/pub/advisory/7nvdPatchVendor Advisory
- secunia.com/advisories/11864nvdPatchVendor Advisory
- securitytracker.com/idnvdPatchVendor Advisory
- www.osvdb.org/7076nvdPatch
- www.securityfocus.com/bid/10544nvdPatch
- exchange.xforce.ibmcloud.com/vulnerabilities/16419nvd
News mentions
0No linked articles in our index yet.