BEA AquaLogic Service Bus Lets Remote Users Bypass Security Checks in Certain Cases
|
|
SecurityTracker Alert ID: 1017523
|
|
SecurityTracker URL: http://securitytracker.com/id?1017523
|
|
CVE Reference: CVE-2007-0432
(Links to External Site)
|
Updated: May 19 2008
|
Original Entry Date: Jan 17 2007
|
Impact: Host/resource access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: BEA Security Advisory
|
Version(s): 2.0, 2.1, 2.5
|
Description: A vulnerability was reported in AquaLogic Service Bus. A remote user can bypass security policies in certain cases.
Certain authorization checks may not be properly enforced by the AquaLogic Service Bus proxy services. A remote user can send specially
crafted messages to bypass policies defined by the AquaLogic Service Bus administrator.
Only specific configurations are affected.
However, the vendor did not indicate which configurations are affected.
|
Impact: A remote user can bypass some authorization checks.
|
Solution: The vendor has issued patches for version 2.1 and 2.5.
Version 2.6 will include the fix.
The BEA advisory is available at:
http://dev2dev.bea.com/pub/advisory/224
|
Vendor URL: dev2dev.bea.com/pub/advisory/224 (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 16 Jan 2007 17:08:59 -0500
Subject: AquaLogic Service Bus
|
BEA07-157.00 Authorization checks may not be enforced in AquaLogic Service Bus proxy services
http://dev2dev.bea.com/pub/advisory/224
|
|
