|
BEA WebLogic 24 Vulnerabilities and Security Issues
|
|
Secunia Advisory:
|
SA17138
|
|
|
Release Date:
|
2005-10-11
|
|
Last Update:
|
2006-05-16
|
|
Popularity:
|
15,104 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
Cross Site Scripting
Manipulation of data
Brute force
Exposure of system information
Exposure of sensitive information
Privilege escalation
DoS
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | BEA WebLogic Express 6.x
BEA WebLogic Express 7.x
BEA WebLogic Express 8.x
BEA WebLogic Express 9.x
BEA WebLogic Server 6.x
BEA WebLogic Server 7.x
BEA WebLogic Server 8.x
BEA WebLogic Server 9.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2006-0420
CVE-2005-4704
CVE-2005-4705
|
|
Description:
24 vulnerabilities and security issues have been reported in WebLogic Server and WebLogic Express, where the most critical ones potentially can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting and HTTP request smuggling attacks, cause a DoS (Denial of Service), and bypass certain security restrictions.
1) An error in the thread handling of the server can be exploited by malicious clients to hang threads on a vulnerable server.
The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
2) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's or administrator's browser session in context of an affected site.
This is related to vulnerability #6 in:
SA15486
The vulnerability affects the following versions:
* WebLogic Server / Express 9.0 initial release (all platforms)
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
3) The problem is that Java client applications using the SSL protocol without specifying a user, may in certain situations be communicating insecurely with an unencrypted protocol.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
4) The problem is that if a Java client application creates both insecure and secure (SSL) connections to a server, then an insecure connection will be established instead of the intended secure connection in certain situations.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
5) An error in the deploying of Web applications and EJBs can be exploited by a malicious web application with Deployer privileges to gain Admin privileges via the run-as deployment descriptor element.
The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
6) The problem is that under heavy load some audit events may be posted with incorrect severity levels for sites which has auditing enabled. This may cause some customer filtering software to miss certain audit events.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
7) The problem is that IP addresses of machines behind a firewall can be disclosed by a malicious person via NAT (Network Address Translation).
The vulnerability affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)
8) The passphrase for the Trust keystore is stored in clear text in the "nodemanager.config" file. This can be exploited to disclose the server's private keys.
Successful exploitation requires file access to the "nodemanager.config" file.
The security issue affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)
9) An error where Principals from a derived Principal class is not properly validated in certain situations, may be exploited to gain escalated privileges.
The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
10) An error where the servlet root URL pattern is not properly protecting servlets, may be exploited by malicious people to access certain servlet resources.
The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
11) An error in the restriction of an unspecified internal servlet in the Administration server can be exploited to access files on the local filesystem.
Successful exploitation requires the Admin security role.
The vulnerability affects the following version:
WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)
12) An error in the importing of security policies from other operating systems can cause servlets being unprotected (e.g. from UNIX to Windows).
The security issue affects the following versions:
* WebLogic Server / Express 8.1 (all platforms)
* WebLogic Server / Express 7.0 (all platforms)
13) The passphrase for the private key used to configure SSL is displayed in clear text on the terminal and stored in clear text in the server log file when creating a WebLogic server domain via the configuration wizard.
The security issue affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)
14) The problem is that certain servlet resources may not be properly protected from malicious people after an error occurs during deployment when the fullyDelegateAuthorization mode is enabled.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
15) The problem is that system properties which may contain sensitive information (e.g. passwords) are logged to the server log file.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
16) The problem is that the password used to boot the server is stored in clear text in the Windows registry.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
17) The problem is that a password is included in a subject when using the IIOP (Internet Inter-ORB Protocol) protocol and may be exposed in an exception to a remote client or in the server log.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
18) WebLogic Server / Express has a user lockout mechanism designed to protect against brute-force attacks. The problem is that the feature can be exploited by malicious people to lockout the administrator via multiple incorrect login requests.
Successful exploitation requires knowledge of the administrator's username.
19) The problem is that a Deployer can use the weblogic.Deployer command using the insecure t3 protocol in communication with the Administration server.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
20) The problem is that Multicast messages are sent in clear text in clusters.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
21) An error in the handling of incorrect log records may cause MBean configuration changes not to be saved in the audit log.
The security issue affects the following version:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
22) An error in the handling of malformed HTTP requests may be exploited by malicious people to conduct HTTP request smuggling attacks.
The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)
23) An error in the handling of servlets doing relative forwarding may cause a vulnerable site to become unusable in certain situations.
The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
24) An error in the user lockout security mechanism allows malicious people to perform more login requests than intended.
The security issue affects the following versions:
* WebLogic Server 8.1 through Service Pack 4 (all platforms)
* WebLogic Server 7.0 through Service Pack 6 (all platforms)
Solution:
Patches and updated documentation are available (see the original vendor advisories).
Provided and/or discovered by:
Reported by the vendor.
2) The vendor credits:
* ACROS Security
* DV Bern AG
* Application Security Inc
* GomoR
Changelog:
2006-01-24: New patch information is available for security issue #23 for WebLogic Server / Express 7.0 (see http://dev2dev.bea.com/pub/advisory/164).
2006-01-30: Added CVE reference.
2006-02-03: Added CVE references.
2006-03-21: New patch information is available for vulnerability #22 for WebLogic Server / Express 7.0 (see http://dev2dev.bea.com/pub/advisory/1...ected version for security issue #24.
2006-05-16: Vendor issues a corrected patch for WebLogic Server 6.1 in vulnerability #1 (BEA06-87.01).
Original Advisory:
BEA06-87.01:
http://dev2dev.bea.com/pub/advisory/197
BEA05-80.02:
http://dev2dev.bea.com/pub/advisory/139
BEA05-85.00:
http://dev2dev.bea.com/pub/advisory/140
BEA05-86.00:
http://dev2dev.bea.com/pub/advisory/141
BEA05-88.00:
http://dev2dev.bea.com/pub/advisory/142
BEA05-89.00:
http://dev2dev.bea.com/pub/advisory/143
BEA05-90.00:
http://dev2dev.bea.com/pub/advisory/144
BEA05-91.00:
http://dev2dev.bea.com/pub/advisory/145
BEA05-92.00:
http://dev2dev.bea.com/pub/advisory/146
BEA05-93.00:
http://dev2dev.bea.com/pub/advisory/147
BEA05-94.00:
http://dev2dev.bea.com/pub/advisory/148
BEA05-95.00:
http://dev2dev.bea.com/pub/advisory/149
BEA05-96.00:
http://dev2dev.bea.com/pub/advisory/150
BEA05-97.00:
http://dev2dev.bea.com/pub/advisory/151
BEA05-98.00:
http://dev2dev.bea.com/pub/advisory/152
BEA05-99.00:
http://dev2dev.bea.com/pub/advisory/153
BEA05-100.00:
http://dev2dev.bea.com/pub/advisory/154
BEA05-101.00:
http://dev2dev.bea.com/pub/advisory/155
BEA05-102.00:
http://dev2dev.bea.com/pub/advisory/156
BEA05-103.00:
http://dev2dev.bea.com/pub/advisory/157
BEA05-104.00:
http://dev2dev.bea.com/pub/advisory/158
BEA06-105.01:
http://dev2dev.bea.com/pub/advisory/177
BEA06-106.01:
http://dev2dev.bea.com/pub/advisory/164
BEA06-107.01:
http://dev2dev.bea.com/pub/advisory/178
Other References:
SA15486:
http://secunia.com/advisories/15486/
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
