BEA WebLogic May Disclose Database Password Via 'config.xml' For Untargeted JDBC Connection Pools
|
|
SecurityTracker Alert ID: 1009764
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 13 2004
|
Impact: Disclosure of authentication information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 8.1 through Service Pack 2; 7.0 through Service Pack 4; 6.1 through Service Pack 6
|
Description: A vulnerability has been reported in BEA's WebLogic Server and WebLogic Express. A local user may be able to obtain the database password for untargeted JDBC connection pools.
BEA reported that a database password may be included in clear text in the 'config.xml' file when a JDBC connection pool is not yet
targeted to a server but already has a database username and password configured or when a JDBC connection pool has been untargeted
from all servers and the password has since been changed.
Users with untargeted JDBC connection pools with configured passwords
are affected.
|
Impact: A local user can obtain the database username and password.
|
Solution: For WebLogic Server and WebLogic Express version 8.1, the vendor indicates that you should upgrade to SP2 and install the following
patch:
ftp://ftpna.beasys.com/pub/releases/security/CR128888_81sp2.jar
Service Pack 3 will reportedly include this fix.
For
WebLogic Server and WebLogic Express version 7.0, the vendor indicates that you should upgrade to Service Pack 5.
For WebLogic
Server and WebLogic Express version 6.1, the vendor indicates that you should upgrade to SP6 and install the following patch:
ftp://ftpna.beasys.com/pub/releases/secur
ity/CR128888_61sp6.jar
The vendor reports that version 6.1 Service Pack 7 will include this fix.
|
Vendor URL: dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 13 Apr 2004 18:24:04 -0400
Subject: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp
|
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp
> Security Advisory: (BEA04-53.00)
> From: BEA Systems Inc.
> Minor Subject:Patches are available to prevent password exposure.
> Product(s) Affected: WebLogic Server and WebLogic Express
A vulnerability was reported in BEA's WebLogic Server and WebLogic Express. Users with
untargeted JDBC connection pools with configured passwords are affected.
A database password may reportedly be included in clear text in the 'config.xml' file when
a JDBC connection pool is not yet targeted to a server but already has a database username
and password configured or when a JDBC connection pool has been untargeted from all
servers and the password has since been changed.
The following versions are affected:
8.1 through Service Pack 2, on all platforms
7.0 through Service Pack 4, on all platforms
6.1 through Service Pack 6, on all platforms
For WebLogic Server and WebLogic Express version 8.1, the vendor indicates that you should
upgrade to SP2 and install the following patch:
ftp://ftpna.beasys.com/pub/releases/security/CR128888_81sp2.jar
Service Pack 3 will reportedly include this fix.
For WebLogic Server and WebLogic Express version 7.0, the vendor indicates that you should
upgrade to Service Pack 5.
For WebLogic Server and WebLogic Express version 6.1, the vendor indicates that you should
upgrade to SP6 and install the following patch:
ftp://ftpna.beasys.com/pub/releases/security/CR128888_61sp6.jar
The vendor reports that version 6.1 Service Pack 7 will include this fix.
> Threat level: Low - The vulnerability requires a user to have read access to
> the config.xml file.
> Severity: High - A user can obtain the database username and password.
|
|
