Secunia Logo  


Secunia PSI WorldMap
 
BEA AquaLogic Weakness and Multiple Vulnerabilities
Secunia Advisory: SA23786
Release Date: 2007-01-17
Last Update: 2007-01-24
Popularity: 8,133 views

Critical:
Less critical
Impact: Security Bypass
Where: From local network
Solution Status: Vendor Patch

Software:BEA AquaLogic Enterprise Security 2.x
BEA AquaLogic Service Bus 2.x

Secunia CVSS-2 Score: Available in Secunia business solutions

Subscribe: Instant alerts on relevant vulnerabilities


Advisory Content (Page 1 of 3)[ 1 ] [ 2 ] [ 3 ]

Description:
Some vulnerabilities and a weakness have been reported in BEA AquaLogic, which can be exploited by malicious people to bypass certain security restrictions.

1) An error in the proxy service can be exploited to bypass authorization policies defined by the AquaLogic Service Bus administrator via specially crafted requests.

The vulnerability affects the following versions:
* AquaLogic Service Bus 2.0 on all platforms
* AquaLogic Service Bus 2.1 on all platforms
* AquaLogic Service Bus 2.5 on all platforms

2) Insufficient restrictions on disabled users can be exploited to logon to the AquaLogic Enterprise Server even though the user account has been disabled (but not deleted).

Successful exploitation requires that Active Directory LDAP server is used as the authentication database.

The vulnerability affects the following versions:
* AquaLogic Enterprise Security 2.0, released through Service Pack 2, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.1, released through Service Pack 1, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.2, on all platforms when Active Directory LDAP server is used for authentication

3) It is possible that audit events are posted with incorrect values when the server is under high load conditions.

The weakness affects the following versions:
* AquaLogic Enterprise Security 2.0, released through Service Pack 2, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.1, released through Service Pack 1, on all platforms when Active Directory LDAP server is used for authentication
* AquaLogic Enterprise Security 2.2, on all platforms when Active Directory LDAP server is used for authentication

Change Page:
[ 1 ] [ 2 ] [ 3 ]



Track this Secunia Advisory
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.

Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.

About this Secunia Advisory
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.

Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
  
Latest Advisories

Send Feedback to Secunia
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.

Ideas, suggestions, and other feedback are most welcome.

Most Popular - 3 Hours

1. Internet Explorer Charset Inheritance Cross-Site Scripting Vulnerability // 32 views
2. Sun Java JDK / JRE Multiple Vulnerabilities // 25 views
3. Adobe Flash Player Multiple Vulnerabilities // 21 views
4. Adobe Reader/Acrobat Multiple Vulnerabilities // 16 views
5. Microsoft Windows Win32k Kernel-Mode Driver Multiple Vulnerabilities // 16 views
6. Microsoft Visual Basic for Applications Buffer Overflow // 15 views
7. Microsoft Windows SMB Response Denial of Service Vulnerability // 14 views
8. Apple Safari Multiple Vulnerabilities // 12 views
9. libexif "exif_entry_fix()" Buffer Overflow Vulnerability // 9 views
10. Oracle Products Multiple Vulnerabilities // 9 views