24 vulnerabilities and security issues have been reported in WebLogic Server and WebLogic Express, where the most critical ones potentially can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting and HTTP request smuggling attacks, cause a DoS (Denial of Service), and bypass certain security restrictions.

1) An error in the thread handling of the server can be exploited by malicious clients to hang threads on a vulnerable server.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

2) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's or administrator's browser session in context of an affected site.

This is related to vulnerability #6 in:
SA15486

The vulnerability affects the following versions:
* WebLogic Server / Express 9.0 initial release (all platforms)
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

3) The problem is that Java client applications using the SSL protocol without specifying a user, may in certain situations be communicating insecurely with an unencrypted protocol.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

4) The problem is that if a Java client application creates both insecure and secure (SSL) connections to a server, then an insecure connection will be established instead of the intended secure connection in certain situations.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

5) An error in the deploying of Web applications and EJBs can be exploited by a malicious web application with Deployer privileges to gain Admin privileges via the run-as deployment descriptor element.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)

6) The problem is that under heavy load some audit events may be posted with incorrect severity levels for sites which has auditing enabled. This may cause some customer filtering software to miss certain audit events.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)

7) The problem is that IP addresses of machines behind a firewall can be disclosed by a malicious person via NAT (Network Address Translation).

The vulnerability affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)

8) The passphrase for the Trust keystore is stored in clear text in the "nodemanager.config" file. This can be exploited to disclose the server's private keys.

Successful exploitation requires file access to the "nodemanager.config" file.

The security issue affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)

9) An error where Principals from a derived Principal class is not properly validated in certain situations, may be exploited to gain escalated privileges.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)

10) An error where the servlet root URL pattern is not properly protecting servlets, may be exploited by malicious people to access certain servlet resources.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)

11) An error in the restriction of an unspecified internal servlet in the Administration server can be exploited to access files on the local filesystem.

Successful exploitation requires the Admin security role.

The vulnerability affects the following version:
WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)

12) An error in the importing of security policies from other operating systems can cause servlets being unprotected (e.g. from UNIX to Windows).

The security issue affects the following versions:
* WebLogic Server / Express 8.1 (all platforms)
* WebLogic Server / Express 7.0 (all platforms)

13) The passphrase for the private key used to configure SSL is displayed in clear text on the terminal and stored in clear text in the server log file when creating a WebLogic server domain via the configuration wizard.

The security issue affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)

14) The problem is that certain servlet resources may not be properly protected from malicious people after an error occurs during deployment when the fullyDelegateAuthorization mode is enabled.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)

15) The problem is that system properties which may contain sensitive information (e.g. passwords) are logged to the server log file.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

16) The problem is that the password used to boot the server is stored in clear text in the Windows registry.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

17) The problem is that a password is included in a subject when using the IIOP (Internet Inter-ORB Protocol) protocol and may be exposed in an exception to a remote client or in the server log.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

18) WebLogic Server / Express has a user lockout mechanism designed to protect against brute-force attacks. The problem is that the feature can be exploited by malicious people to lockout the administrator via multiple incorrect login requests.

Successful exploitation requires knowledge of the administrator's username.

19) The problem is that a Deployer can use the weblogic.Deployer command using the insecure t3 protocol in communication with the Administration server.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)

20) The problem is that Multicast messages are sent in clear text in clusters.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all platforms)

21) An error in the handling of incorrect log records may cause MBean configuration changes not to be saved in the audit log.

The security issue affects the following version:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)

22) An error in the handling of malformed HTTP requests may be exploited by malicious people to conduct HTTP request smuggling attacks.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all platforms)

23) An error in the handling of servlets doing relative forwarding may cause a vulnerable site to become unusable in certain situations.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all platforms)

24) An error in the user lockout security mechanism allows malicious people to perform more login requests than intended.

The security issue affects the following versions:
* WebLogic Server 8.1 through Service Pack 4 (all platforms)
* WebLogic Server 7.0 through Service Pack 6 (all platforms)

Solution
Patches and updated documentation are available (see the original vendor advisories).

Provided and/or discovered by
Reported by the vendor.

2) The vendor credits:
* ACROS Security
* DV Bern AG
* Application Security Inc
* GomoR

Changelog
Further details available to Secunia VIM customers

Original Advisory
BEA06-87.01:
http://dev2dev.bea.com/pub/advisory/197

BEA05-80.02:
http://dev2dev.bea.com/pub/advisory/139

BEA05-85.00:
http://dev2dev.bea.com/pub/advisory/140

BEA05-86.00:
http://dev2dev.bea.com/pub/advisory/141

BEA05-88.00:
http://dev2dev.bea.com/pub/advisory/142

BEA05-89.00:
http://dev2dev.bea.com/pub/advisory/143

BEA05-90.00:
http://dev2dev.bea.com/pub/advisory/144

BEA05-91.00:
http://dev2dev.bea.com/pub/advisory/145

BEA05-92.00:
http://dev2dev.bea.com/pub/advisory/146

BEA05-93.00:
http://dev2dev.bea.com/pub/advisory/147

BEA05-94.00:
http://dev2dev.bea.com/pub/advisory/148

BEA05-95.00:
http://dev2dev.bea.com/pub/advisory/149

BEA05-96.00:
http://dev2dev.bea.com/pub/advisory/150

BEA05-97.00:
http://dev2dev.bea.com/pub/advisory/151

BEA05-98.00:
http://dev2dev.bea.com/pub/advisory/152

BEA05-99.00:
http://dev2dev.bea.com/pub/advisory/153

BEA05-100.00:
http://dev2dev.bea.com/pub/advisory/154

BEA05-101.00:
http://dev2dev.bea.com/pub/advisory/155

BEA05-102.00:
http://dev2dev.bea.com/pub/advisory/156

BEA05-103.00:
http://dev2dev.bea.com/pub/advisory/157

BEA05-104.00:
http://dev2dev.bea.com/pub/advisory/158

BEA06-105.01:
http://dev2dev.bea.com/pub/advisory/177

BEA06-106.01:
http://dev2dev.bea.com/pub/advisory/164

BEA06-107.01:
http://dev2dev.bea.com/pub/advisory/178

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers