|
BEA AquaLogic Weakness and Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA23786
|
|
|
Release Date:
|
2007-01-17
|
|
Last Update:
|
2007-01-24
|
|
Popularity:
|
6,700 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | BEA AquaLogic Enterprise Security 2.x
BEA AquaLogic Service Bus 2.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
| | CVE reference: | CVE-2007-0432
CVE-2007-0433
CVE-2007-0434
|
|
Description:
Some vulnerabilities and a weakness have been reported in BEA AquaLogic, which can be exploited by malicious people to bypass certain security restrictions.
1) An error in the proxy service can be exploited to bypass authorization policies defined by the AquaLogic Service Bus administrator via specially crafted requests.
The vulnerability affects the following versions:
* AquaLogic Service Bus 2.0 on all platforms
* AquaLogic Service Bus 2.1 on all platforms
* AquaLogic Service Bus 2.5 on all platforms
2) Insufficient restrictions on disabled users can be exploited to logon to the AquaLogic Enterprise Server even though the user account has been disabled (but not deleted).
Successful exploitation requires that Active Directory LDAP server is used as the authentication database.
The vulnerability affects the following versions:
* AquaLogic Enterprise Security 2.0, released through Service Pack 2, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.1, released through Service Pack 1, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.2, on all platforms when Active Directory LDAP server is used for authentication
3) It is possible that audit events are posted with incorrect values when the server is under high load conditions.
The weakness affects the following versions:
* AquaLogic Enterprise Security 2.0, released through Service Pack 2, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.1, released through Service Pack 1, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.2, on all platforms when Active Directory LDAP server is used for authentication
Solution:
Apply patches (see vendor advisories for details).
Provided and/or discovered by:
Reported by the vendor.
Changelog:
2007-01-24: Added CVE reference.
Original Advisory:
1) http://dev2dev.bea.com/pub/advisory/224
2) http://dev2dev.bea.com/pub/advisory/221
3) http://dev2dev.bea.com/pub/advisory/220
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
21st Nov, 2008
|
New advisories:
|
12 |
|
New vulnerabilities:
|
46 |
|
Updated advisories:
|
20 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 Solutions | More...
|
|
