Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
BEA WebLogic Server Multiple Bugs Let Remote Users Deny Service, Obtain Information, and Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1015029
|
|
SecurityTracker URL: http://securitytracker.com/id?1015029
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Feb 21 2008
|
Original Entry Date: Oct 10 2005
|
Impact: Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: BEA Security Advisory
|
Version(s): 6.1 SP7, 7.0 SP6, 8.1 SP4, 9.0; and prior service packs
|
Description: Multiple vulnerabilities were reported in BEA WebLogic Server. A remote user can cause denial of service conditions. A user may
be able to obtain elevated privileges. A remote user can conduct cross-site scripting and HTTP smuggling attacks. The system may
disclose user or password information.
BEA Systems issued 22 separate advisories detailing vulnerabilities in various versions of WebLogic Server and WebLogic Express.
The highest severity level assigned by the vendor is "high."
In certain situations, if a remote client logs in using one-way
SSL without specifying the user, a lower level of SSL encryption may be used [BEA05-85.00]. Java client applications that use SSL
but do not specify a user are affected.
If a remote Java client creates a non-SSL T3 connection to a server and then creates
an SSL T3S connection to the same destination server, client may use the first non-SSL connection instead of the second SSL connection
[BEA05-86.00].
A remote user can cause server threads to hang, resulting in denial of service conditions on the target server
[BEA05-87.00].
A remote authenticated user can change privileges in a Web application or EJB from the Deployer security role
to the Admin security role by exploiting the run-as deployment descriptor element [BEA05-88.00]. Sites using web applications and
EJBs that grant the Deployer and Admin security roles are affected.
When the target server is under heavy load, audit events
may be posted with the incorrect severity levels [BEA05-89.00]. Sites that auditing enabled may be affected.
A remote user may
be able to determine the IP addresses of systems located behind a firewall and using network address translation [BEA05-90.00].
Only WebLogic Server 8.1 (through Service Pack 3) is affected.
A remote authenticated user can invoke the Node Manager to access
the 'nodemanager.config' file to view the CustomTrustKeyStorePassPhrase in cleartext [BEA05-91.00].
If a custom Principal class
has multiple PrincipalValidators, a derived Principal may be only partially validated in certain cases [BEA05-92.00]. A user may
be able to tamper with a Principal within a Subject to obtain elevated privileges. Systems that use the WebLogic Authentication
providers with the default Principals are not affected.
Servlet security constraints may not properly protect the root directory
because the servlet root url pattern "/" is not always constrained as expected [BEA05-93.00].
A remote authenticated administrator
with the Admin security role can access an internal servlet via HTTP or HTTPS to access files on the target system [BEA05-94.00].
This vulnerability only affects WebLogic Server version 8.1 through Service Pack 3.
When security policies are exported and
imported across operating systems, differences in case handling may affect the enforcement of the intended policies [BEA05-95.00].
As a result, Web Application pages that may be protected on one operating system may not be protected on a different operating
system.
When a new WebLogic Server domain is created using the Configuration Wizard, the passphrase for the private key used
in configuring SSL is displayed on the screen and stored in the server log file [BEA05-96.00].
When an unexpected failure occurs
during deployment by an authorization provider or role provider, the servlet container may mark the servlet as inaccessible but
allow deployment to continue [BEA05-97.00]. If fullyDelegateAuthorization was enabled, the servlet will not be fully protected
because the security framework will not have any constraints.
When a user supplies potentially sensitive system properties via
the java command-line interface -D command switch when booting the server, the information is included in the server log [BEA05-98.00].
A user with access to the server log can view the information.
When a WebLogic Server is configured to run as a service on a
Windows-based system, the administrative password used to boot the server is stored in the Windows registry [BEA05-99.00]. In some
cases, the password is stored in clear text form. A local user can view the password to gain access to the administrative account.
In
certain situations, the IIOP protocol may construct a Subject that contains a password, which may be displayed in an exception [BEA05-100.00].
A remote user or a user with access to a server-side log may be able to access the password. Systems using the IIOP protocol may
be affected.
A remote user with the knowledge of the name of the admin user can make continuous invalid login attempts to lock
out the target admin user [BEA05-101.00].
In certain situations, a Deployer may use the weblogic.Deployer command with the t3
protocol instead of the secure t3s protocol [BEA05-102.00]. As a result, information sent between the weblogic.Deployer command
and the Administration server may be disclosed.
Multicast messages used to keep nodes of a cluster in sync are not encrypted
by default [BEA05-103.00].
In certain cases, log records that are not properly formatted may cause an exception and not be published
[BEA05-104.00]. If this occurs a certain number of times, no further log records will be published and no auditing of MBean configuration
changes will be performed. Only WebLogic Server version 8.1 through Service Pack 4 is affected.
A remote user can issued certain
HTTP requests to conduct HTTP Request Smuggling attacks against the target server [BEA05-105.00].
Relative forwarding within
servlets may cause in looping stack overflow errors, resulting in denial of service conditions on the target server [BEA05-106.00].
The
system does not properly limit invalid login attempts [BEA05-107.00]. Systems that use username/password authentication are affected.
|
Impact: A remote user can cause denial of service conditions.
A remote user can conduct cross-site scripting and HTTP smuggling attacks.
The
system may disclose user or password information.
A remote authenticated user can change application privileges.
A user may
be able to obtain elevated privileges.
|
Solution: The vendor has issued several patches, each described in a separate advisory. The vendor advisories are available at:
http://dev2dev.bea.com/pub/advisory/161
http://d
ev2dev.bea.com/pub/advisory/160
http://dev2dev.bea.com/pub/advisory/159
http://dev2dev.bea.com/pub/advisory/158
http://dev2dev.bea.com/pub/advisory/157
http://dev2dev
.bea.com/pub/advisory/156
http://dev2dev.bea.com/pub/advisory/155
http://dev2dev.bea.com/pub/advisory/154
http://dev2dev.bea.com/pub/advisory/153
http://dev2dev.bea.c
om/pub/advisory/152
http://dev2dev.bea.com/pub/advisory/151
http://dev2dev.bea.com/pub/advisory/150
http://dev2dev.bea.com/pub/advisory/149
http://dev2dev.bea.com/pub
/advisory/148
http://dev2dev.bea.com/pub/advisory/147
http://dev2dev.bea.com/pub/advisory/146
http://dev2dev.bea.com/pub/advisory/145
http://dev2dev.bea.com/pub/advis
ory/144
http://dev2dev.bea.com/pub/advisory/143
http://dev2dev.bea.com/pub/advisory/142
http://dev2dev.bea.com/pub/advisory/141
http://dev2dev.bea.com/pub/advisory/14
0
On May 15, 2006, the vendor issued a revised fix for the hanging thread denial of service vulnerability. BEA06-87.01 supercedes
BEA05-87.00:
http://dev2dev.bea.com/pub/advisory/197
|
Vendor URL: dev2dev.bea.com/advisoriesnotifications/ (Links to External Site)
|
Cause: Access control error, Exception handling error, Input validation error
|
Underlying OS: Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 10 Oct 2005 15:17:55 -0400
Subject: Multiple BEA WebLogic vulnerabilities
|
Excerpt from BEA web site:
2005-10-10 BEA05-107.00 Too many invalid login attempts allowed.
2005-10-10 BEA05-106.00 Requests for a servlet doing relative forwarding may result in
a Denial-of-Service (DOS) attack.
2005-10-10 BEA05-105.00 Certain HTTP requests may be used to launch HTTP Request
Smuggling attacks on the server.
2005-10-10 BEA05-104.00 Auditing of MBean configuration changes may stop.
2005-10-10 BEA05-103.00 Multicast data is not encrypted.
2005-10-10 BEA05-102.00 In specific circumstances, weblogic.Deployer communication with
the Administration server could be compromised.
2005-10-10 BEA05-101.00 The documentation has been updated to recommend multiple
administrator accounts.
2005-10-10 BEA05-100.00 A password might be exposed in some Subjects constructed by the
IIOP protocol
2005-10-10 BEA05-99.00 The password used to boot the server may appear in clear text in
the Windows registry.
2005-10-10 BEA05-98.00 Sensitive system properties values are displayed in the server
log.
2005-10-10 BEA05-97.00 Servlet resources may not be fully protected when using
fullyDelegateAuthorization mode in the Administration Console.
2005-10-10 BEA05-96.00 The passphrase for the private key used in the configuration of
SSL appears in cleartext when creating a WebLogic Server domain using the Configuration
Wizard.
2005-10-10 BEA05-95.00 Exporting security policies from one operating system and
importing to another operating system can lead to servlets being unprotected.
2005-10-10 BEA05-94.00 The local file system may be accessed remotely by a user granted
the Admin security role.
2005-10-10 BEA05-93.00 Servlet security constraint fails to properly protect root
2005-10-10 BEA05-92.00 Principals from a derived Principal class may not be fully
validated.
2005-10-10 BEA05-91.00 The passphrase for the Trust keystore appears in clear text in
the nodemanager.config file.
2005-10-10 BEA05-90.00 A patch is available to prevent users from accessing machine
information behind a firewall.
2005-10-10 BEA05-89.00 Audit events may be posted with incorrect severity.
2005-10-10 BEA05-88.00 A Deployed application can change privileges from Deployer to
Admin.
2005-10-10 BEA05-87.00 A malicious client can cause threads to hang on the server.
2005-10-10 BEA05-86.00 In specific circumstances, client/server communications are not
using the SSL connection as expected
2005-10-10 BEA05-85.00 Client/server communications that do not specify a user are not
protected by the SSL protocol correctly.
2005-10-10 BEA05-80.02 Patches available to prevent multiple cross-site scripting (XSS)
vulnerabilities.
|
|
Go to the Top of This SecurityTracker Archive Page
|
