Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Moderately critical

BEA WebLogic Multiple Vulnerabilities and Security Issues

-

Release Date:  2007-01-17    Last Update:  2007-09-03    Views:  18,968

Secunia Advisory SA23750

Where:

From remote

Impact:

Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access

Solution Status:

Vendor Patch

CVE Reference(s):

Description


Multiple vulnerabilities and security issues have been reported in BEA Weblogic, which can be exploited by malicious people or malicious users to gain knowledge of sensitive information, bypass certain security restrictions, conduct spoofing attacks, cause a DoS (Denial Of Service), or potentially compromise a vulnerable system.

1) An error in the SSL library can be exploited to determine the plaintext block.

The vulnerability affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 7, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

2) The server does not properly validate client certificates when reusing connections from the cache. This can be exploited to gain access to the web server via a X.509 certificate.

Successful exploitation requires that the application allows access to multiple users via a single client process.

The vulnerability affects the following versions:
* WebLogic Server 8.1 released through Service Pack 4, on all platforms

3) Passwords stored in the JDBCDataSourceFactory MBean Properties attribute is not encrypted. This can be exploited by malicious users to view the passwords.

The security issue affects the following versions:
* WebLogic Server 9.0 initial release
* WebLogic Server 8.1, released through Service Pack 4
* WebLogic Server 7.0, released through Service Pack 6

4) An error in thread management can be exploited to cause the server to hang via a series of specially crafted requests.

The vulnerability affects the following versions:
* WebLogic Server 9.1, on all platforms
* WebLogic Server 9.0, on all platforms
* WebLogic Server 8.1 through Service Pack 5, on all platforms
* WebLogic Server 7.0 through Service Pack 6, on all platforms

5) An error in WebLogic clients using WS-Security can be exploited via man-in-the-middle attacks.

The security issue affects the following versions:
* WebLogic Server 9.2 with no maintenance packs, on all platforms
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms

6) Deployed .ear or exploded .ear files that use the manifest class-path property to point to utility jar files can be exploited by a malicious person to view files inside the class-path property.

The vulnerability affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 7, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

7) The server does not properly protect sensitive values when an administrator edits the config.xml file offline using clear text values. During a restart, WebLogic Server saves a backup of the file including the clear text values.

The security issue affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms

8) An error in the handling of threads when processing error pages defined in web.xml can be exploited to cause the server to become unresponsive.

The vulnerability affects the following versions:
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 6, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

9) An error in enforcing access controls when an application is dynamically updated and redeployed can be exploited to gain unauthorized access to certain resources.

The security issue affects the following versions:
* WebLogic Server 8.1 released through Service Pack 5, on all platforms

10) An error in the way WSSE runtime enforces decryption certificates can be exploited to bypass certain security restrictions.

The vulnerability affects the following versions:
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms

11) Some EJB calls can be executed with administrative privileges and can be exploited via malicious EJBs installed in the server.

Successful exploitation requires that the WebLogic Server 6.1 compatibility realm is used.

The security issue affects the following versions:
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 7, on all platforms

12) Certain security policies added via the console by the administrator does not properly protect EJB resources. This may be exploited by malicious people to access certain restricted resources.

The security issue affects the following versions:
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms
* WebLogic Server 8.1 released through Service Pack 5, on all platforms
* WebLogic Server 7.0 released through Service Pack 6, on all platforms

13) An error in the WebLogic Server proxy plug-in for Apache server can be exploited to cause the server to become unresponsive via a specially crafted request.

The vulnerability is reported in Apache plug-ins dated prior to June 2006.

14) An error in the handling of specially crafted HTTP requests can be exploited to disclose information from previous HTTP requests.

The vulnerability is reported in the following versions:
* WebLogic Server 9.2 with no maintenance packs, on all platforms
* WebLogic Server 9.1 on all platforms
* WebLogic Server 9.0 on all platforms

15) An error in the handling of requests containing specially crafted headers can be exploied to to consume a large amount of disk space in the server log.

The vulnerability is reported in the following versions:
* WebLogic Server 7.0 released through Service Pack 7, on all platforms
* WebLogic Server 6.1 released through Service Pack 7, on all platforms

16) An error in the handling of certain socket connections can be exploited to cause the server to become unresponsive to other requests.

The vulnerability is reported in the following versions:
* WebLogic Server 9.2 with no maintenance packs, on Solaris 9
* WebLogic Server 9.1 on Solaris 9
* WebLogic Server 9.0 on Solaris 9

17) Deleting entitlements for a specific role also affect other role entitlements. This can be exploited by malicious users to gain unauthorized access to certain resources.

The security issue is reported in the following versions:
*WebLogic Portal 9.2 on all platforms.

18) An error in the WebLogic Server proxy plug-in for Netscape Enterprise Server can be exploited to cause the server to stop responding to other requests or to consume a large amount of CPU resource.

The vulnerability is reported in plug-ins dated prior to September, 2006.

19) An error in BEA JRockit can be exploited to cause a bufer overflow via a specially crafted packet.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in the following versions:
* WebLogic Platform 8.1 released through Service Pack 5 on Linux and Windows.
* WebLogic Server 8.1 released through Service Pack 5 on Linux and Windows.
* BEA JRockit 1.4.2 R4.5 and previous versions on Linux and Windows.

20) Policy changes are not properly migrated to other servers if the Administrative Server is down when making the changes. Malicious users may be able to gain unauthorized access to certain resources.

The security issue is reported in the following versions:
* WebLogic Portal 9.2 on all platforms.


Solution:
Apply patches (see vendor advisories for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
1) http://dev2dev.bea.com/pub/advisory/201
2) http://dev2dev.bea.com/pub/advisory/202
3) http://dev2dev.bea.com/pub/advisory/203
4) http://dev2dev.bea.com/pub/advisory/204
5) http://dev2dev.bea.com/pub/advisory/205
6) http://dev2dev.bea.com/pub/advisory/206
7) http://dev2dev.bea.com/pub/advisory/207
8) http://dev2dev.bea.com/pub/advisory/208
9) http://dev2dev.bea.com/pub/advisory/209
10) http://dev2dev.bea.com/pub/advisory/210
11) http://dev2dev.bea.com/pub/advisory/211
12) http://dev2dev.bea.com/pub/advisory/212
13) http://dev2dev.bea.com/pub/advisory/213
14) http://dev2dev.bea.com/pub/advisory/214
15) http://dev2dev.bea.com/pub/advisory/215
16) http://dev2dev.bea.com/pub/advisory/217
17) http://dev2dev.bea.com/pub/advisory/218
18) http://dev2dev.bea.com/pub/advisory/219
19) http://dev2dev.bea.com/pub/advisory/222
20) http://dev2dev.bea.com/pub/advisory/223

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: BEA WebLogic Multiple Vulnerabilities and Security Issues

No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability