WebLogic Certificate Validation Error May Let Remote Users Access the System in Certain Cases
|
|
SecurityTracker Alert ID: 1017519
|
|
SecurityTracker URL: http://securitytracker.com/id?1017519
|
|
CVE Reference: CVE-2007-0408
(Links to External Site)
|
Updated: May 19 2008
|
Original Entry Date: Jan 16 2007
|
Impact: User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: BEA Security Advisory
|
Version(s): 8.1 - 8.1 SP4
|
Description: A vulnerability was reported in WebLogic Server and Express. A remote user can gain access to the target application.
The software does not properly validate client certificates when reusing connections from the cache. When an application allows
multiple users to access the system via a single client process, a remote user may be able to use an untrusted X.509 certificate
to gain access to the application.
|
Impact: A remote user may be able to access the target application.
|
Solution: The vendor has issued a fixed version (8.1 SP5).
The BEA advisory is available at:
http://dev2dev.bea.com/pub/advisory/202
|
Vendor URL: dev2dev.bea.com/pub/advisory/202 (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 16 Jan 2007 14:33:34 -0500
Subject: WebLogic Server and WebLogic Express
|
http://dev2dev.bea.com/pub/advisory/202
|
|
