Multiple vulnerabilities and security issues have been reported in BEA Weblogic, which can be exploited by malicious people or malicious users to gain knowledge of sensitive information, bypass certain security restrictions, conduct spoofing attacks, cause a DoS (Denial Of Service), or potentially compromise a vulnerable system.

1) An error in the SSL library can be exploited to determine the plaintext block.

The vulnerability affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 7, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

2) The server does not properly validate client certificates when reusing connections from the cache. This can be exploited to gain access to the web server via a X.509 certificate.

Successful exploitation requires that the application allows access to multiple users via a single client process.

The vulnerability affects the following versions:
* WebLogic Server 8.1 released through Service Pack 4, on all platforms

3) Passwords stored in the JDBCDataSourceFactory MBean Properties attribute is not encrypted. This can be exploited by malicious users to view the passwords.

The security issue affects the following versions:
* WebLogic Server 9.0 initial release
* WebLogic Server 8.1, released through Service Pack 4
* WebLogic Server 7.0, released through Service Pack 6

4) An error in thread management can be exploited to cause the server to hang via a series of specially crafted requests.

The vulnerability affects the following versions:
* WebLogic Server 9.1, on all platforms
* WebLogic Server 9.0, on all platforms
* WebLogic Server 8.1 through Service Pack 5, on all platforms
* WebLogic Server 7.0 through Service Pack 6, on all platforms

5) An error in WebLogic clients using WS-Security can be exploited via man-in-the-middle attacks.

The security issue affects the following versions:
* WebLogic Server 9.2 with no maintenance packs, on all platforms
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms

6) Deployed .ear or exploded .ear files that use the manifest class-path property to point to utility jar files can be exploited by a malicious person to view files inside the class-path property.

The vulnerability affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 7, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

7) The server does not properly protect sensitive values when an administrator edits the config.xml file offline using clear text values. During a restart, WebLogic Server saves a backup of the file including the clear text values.

The security issue affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms

8) An error in the handling of threads when processing error pages defined in web.xml can be exploited to cause the server to become unresponsive.

The vulnerability affects the following versions:
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 6, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

9) An error in enforcing access controls when an application is dynamically updated and redeployed can be exploited to gain unauthorized access to certain resources.

The security issue affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms

10) An error in the way WSSE runtime enforces decryption certificates can be exploited to bypass certain security restrictions.

The vulnerability affects the following versions:
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms

11) Some EJB calls can be executed with administrative privileges and can be exploited via malicious EJBs installed in the server.

Successful exploitation requires that the WebLogic Server 6.1 compatibility realm is used.

The security issue affects the following versions:
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 7, on all platforms

12) Certain security policies added via the console by the administrator does not properly protect EJB resources. This may be exploited by malicious people to access certain restricted resources.

The security issue affects the following versions:
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 6, on all platforms

13) An error in the WebLogic Server proxy plug-in for Apache server can be exploited to cause the server to become unresponsive via a specially crafted request.

The vulnerability is reported in Apache plug-ins dated prior to June 2006.

14) An error in the handling of specially crafted HTTP requests can be exploited to disclose information from previous HTTP requests.

The vulnerability is reported in the following versions:
* WebLogic Server 9.2 with no maintenance packs, on all platforms
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms

15) An error in the handling of requests containing specially crafted headers can be exploied to to consume a large amount of disk space in the server log.

The vulnerability is reported in the following versions:
* WebLogic Server 7.0 released through Service Pack 7, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

16) An error in the handling of certain socket connections can be exploited to cause the server to become unresponsive to other requests.

The vulnerability is reported in the following versions:
* WebLogic Server 9.2 with no maintenance packs, on Solaris 9
* WebLogic Server 9.1 on Solaris 9
* WebLogic Server 9.0 on Solaris 9

17) Deleting entitlements for a specific role also affect other role entitlements. This can be exploited by malicious users to gain unauthorized access to certain resources.

The security issue is reported in the following versions:
*WebLogic Portal 9.2 on all platforms.

18) An error in the WebLogic Server proxy plug-in for Netscape Enterprise Server can be exploited to cause the server to stop responding to other requests or to consume a large amount of CPU resource.

The vulnerability is reported in plug-ins dated prior to September, 2006.

19) An error in BEA JRockit can be exploited to cause a bufer overflow via a specially crafted packet.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in the following versions:
* WebLogic Platform 8.1 released through Service Pack 5 on Linux and Windows.
* WebLogic Server 8.1 released through Service Pack 5 on Linux and Windows.
* BEA JRockit 1.4.2 R4.5 and previous versions on Linux and Windows.

20) Policy changes are not properly migrated to other servers if the Administrative Server is down when making the changes. Malicious users may be able to gain unauthorized access to certain resources.

The security issue is reported in the following versions:
* WebLogic Portal 9.2 on all platforms.

Solution
Apply patches (see vendor advisories for details).

Provided and/or discovered by
Reported by the vendor.

Changelog
Further details available to Secunia VIM customers

Original Advisory
1) http://dev2dev.bea.com/pub/advisory/201
2) http://dev2dev.bea.com/pub/advisory/202
3) http://dev2dev.bea.com/pub/advisory/203
4) http://dev2dev.bea.com/pub/advisory/204
5) http://dev2dev.bea.com/pub/advisory/205
6) http://dev2dev.bea.com/pub/advisory/206
7) http://dev2dev.bea.com/pub/advisory/207
8) http://dev2dev.bea.com/pub/advisory/208
9) http://dev2dev.bea.com/pub/advisory/209
10) http://dev2dev.bea.com/pub/advisory/210
11) http://dev2dev.bea.com/pub/advisory/211
12) http://dev2dev.bea.com/pub/advisory/212
13) http://dev2dev.bea.com/pub/advisory/213
14) http://dev2dev.bea.com/pub/advisory/214
15) http://dev2dev.bea.com/pub/advisory/215
16) http://dev2dev.bea.com/pub/advisory/217
17) http://dev2dev.bea.com/pub/advisory/218
18) http://dev2dev.bea.com/pub/advisory/219
19) http://dev2dev.bea.com/pub/advisory/222
20) http://dev2dev.bea.com/pub/advisory/223

Deep Links
Links available to Secunia VIM customers