SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
WebLogic Portal Policy Modification Errors May Let Remote Users Access Resources
SecurityTracker Alert ID:  1017521
SecurityTracker URL:  http://securitytracker.com/id/1017521
CVE Reference:   CVE-2007-0423, CVE-2007-0426   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Jan 16 2007
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): WebLogic Portal 9.2
Description:   Two vulnerabilities were reported in WebLogic Portal. A remote user may be able to access resources on the target system.

When an administrative user deletes entitlements for a given role, entitlements for other roles may be adversely affected. This may allow a remote user to access certain resources.

Systems that use roles and entitlements to manage WebLogic Portal resources are affected by the first vulnerability [BEA07-151.00].

When an administrative user modifies a WebLogic Portal entitlement policy on a managed server while the Administrative Server is down, the system may fail to propagate the policy modifications to other managed servers in the cluster.

Systems configured in a WebLogic Server clustered environment and using WebLogic Portal entitlements to manage WebLogic Portal resources are affected by the second vulnerability [BEA07-156.00].

Impact:   A remote user can may be able to gain access to resources on the target system.
Solution:   The vendor has issued two fixes and indicates that administrators should use the Smart Update tool to install the patch for CR284907 and CR293511.

The fixes will be included in WebLogic Portal 9.2 Maintenance Pack 1.

The BEA advisories are available at:

http://dev2dev.bea.com/pub/advisory/218
http://dev2dev.bea.com/pub/advisory/223

Vendor URL:  dev2dev.bea.com/pub/advisory/218 (Links to External Site)
Cause:   Access control error
Underlying OS:   Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Date:  Tue, 16 Jan 2007 17:12:32 -0500
Subject:  WebLogic Portal


BEA07-156.00 	Inadvertent corruption of WebLogic Portal entitlement policies.

http://dev2dev.bea.com/pub/advisory/223

BEA07-151.00 	Inadvertent removal of access restrictions 	

http://dev2dev.bea.com/pub/advisory/218
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC