|
BEA AquaLogic Weakness and Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA23786
|
|
|
Release Date:
|
2007-01-17
|
|
Last Update:
|
2007-01-24
|
|
Popularity:
|
8,133 views
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Security Bypass
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | BEA AquaLogic Enterprise Security 2.x
BEA AquaLogic Service Bus 2.x
|
|
|
Secunia CVSS-2 Score:
|
Available in Secunia business solutions 
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities
|
|
| Advisory Content (Page 1 of 3) | [ 1 ] [ 2 ] [ 3 ] | |
|
Description:
Some vulnerabilities and a weakness have been reported in BEA AquaLogic, which can be exploited by malicious people to bypass certain security restrictions.
1) An error in the proxy service can be exploited to bypass authorization policies defined by the AquaLogic Service Bus administrator via specially crafted requests.
The vulnerability affects the following versions:
* AquaLogic Service Bus 2.0 on all platforms
* AquaLogic Service Bus 2.1 on all platforms
* AquaLogic Service Bus 2.5 on all platforms
2) Insufficient restrictions on disabled users can be exploited to logon to the AquaLogic Enterprise Server even though the user account has been disabled (but not deleted).
Successful exploitation requires that Active Directory LDAP server is used as the authentication database.
The vulnerability affects the following versions:
* AquaLogic Enterprise Security 2.0, released through Service Pack 2, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.1, released through Service Pack 1, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.2, on all platforms when Active Directory LDAP server is used for authentication
3) It is possible that audit events are posted with incorrect values when the server is under high load conditions.
The weakness affects the following versions:
* AquaLogic Enterprise Security 2.0, released through Service Pack 2, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.1, released through Service Pack 1, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.2, on all platforms when Active Directory LDAP server is used for authentication
Change Page:
[ 1 ] [ 2 ] [ 3 ]
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
