A vulnerability has been identified in BEA WebLogic and BEA Tuxedo allowing malicious people to spoof an identity. This vulnerability is similar to the certificate chain vulnerability found in Microsoft Windows and other products last year.
The problem is that the holder of a valid certificate can sign a fake certificate. The SSL implementation will then mistake the fake certificate as being issued by the CA (Certificate Authority) of the valid certificate.
Tuxedo and WebLogic therefore can't properly verify the authenticity of any client or server they communicate with using SSL based protocols.
Solution: BEA has issued patches to fix this issue.
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org