SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic Server Multiple Bugs Let Remote Users Deny Service, Gain Elevated Privileges
SecurityTracker Alert ID:  1018057
SecurityTracker URL:  http://securitytracker.com/id/1018057
CVE Reference:   CVE-2007-2695, CVE-2007-2696, CVE-2007-2697, CVE-2007-2698, CVE-2007-2699, CVE-2007-2700, CVE-2007-2701, CVE-2007-2704   (Links to External Site)
Updated:  Feb 21 2008
Original Entry Date:  May 14 2007
Impact:   Denial of service via network, Host/resource access via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.1, 7.0, 8.1, 9.0, 9.1
Description:   Several vulnerabilities were reported in BEA WebLogic Server. A remote user can gain elevated privileges on the target application. A remote user can cause denial of service conditions.

When the WebLogic HttpClusterServlet or HttpProxyServlet is configured with the 'SecureProxy' parameter, the system may serve external requests to back-end WebLogic servers using a system identity instead of the proxy's identity [BEA08-159.01, which supersedes BEA07-159.00]. As a result, a remote user may be able to gain access to certain administrative resources.

WebLogic JMS systems may fail to perform security access checks on the JMS back-end server [BEA07-160.00]. A remote user can bypass the front-end validation to read or write messages from a protected queue.

In certain configurations, the WebLogic Server embedded LDAP service does not limit or audit failed login attempts [BEA07-161.00]. A remote user can conduct brute force password guessing attacks without limit to determine the administrator's password.

A remote authenticated user with privileges to access the WebLogic console may be able to view certain potentially sensitive Web Service attributes in clear text, including passwords used by credential providers and token handlers [BEA07-162.00].

The WebLogic Scripting Tool script generated by 'configToScript' may not encrypt sensitive attributes when creating a new domain [BEA07-163.00]. A local user or remote authenticated user with read access to configuration files may be able to view the clear text value of certain potentially sensitive attributes (e.g., node manager password).

A remote authenticated administrative user with the 'Deployer' role may be able to upload archives even if the Domain Security Policies restrict this ability [BEA07-164.01].

A WebLogic JMS Message Bridge that is configured without a destination username and password may allow a remote user to bypass security policy and send messages to a restricted queue [BEA07-165.00].

In specific configurations, a remote user can cause the SSL port to become unavailable [BEA07-168.00]. The WebLogic Server will continue to process requests received on other ports. The server must be restarted to return the SSL port to normal operations.

Impact:   A remote user can gain elevated privileges on the target application.

A remote user can bypass security policies.

A remote user can cause denial of service conditions.

Solution:   The vendor has issued several patches, each described in a separate advisory. The vendor advisories are available at:

http://dev2dev.bea.com/pub/advisory/274
http://dev2dev.bea.com/pub/advisory/228
http://dev2dev.bea.com/pub/advisory/229
http://dev2dev.bea.com/pub/advisory/230
http://dev2dev.bea.com/pub/advisory/231
http://dev2dev.bea.com/pub/advisory/233
http://dev2dev.bea.com/pub/advisory/234
http://dev2dev.bea.com/pub/advisory/237

On February 19, 2008, the vendor issued a revised fix for version 9.0 [BEA08-159.01 supersedes BEA07-159.00].

On May 23, 2007, BEA Systems issued a revised solution to replace the solution originally described in BEA07-164.00. The new advisory is numbered BEA07-164.01 but is available at the same URL as the old advisory:

http://dev2dev.bea.com/pub/advisory/231

Vendor URL:  dev2dev.bea.com/pub/advisory/227 (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:   Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Date:  Mon, 14 May 2007 16:35:16 -0400
Subject:  BEA WebLogic


Excerpt from BEA web site:

2007-05-14 	BEA07-168.00 	An SSL port may be susceptible to a Denial of Service 
attack

007-05-14 	BEA07-165.00 	WebLogic JMS Message Bridge not enforcing proper 
credentials to access a protected queue

2007-05-14 	BEA07-164.00 	Security policy may not be applied to WebLogic 
administration deployers when uploading archives

2007-05-14 	BEA07-163.00 	The WLST script generated by configToScript may not 
encrypt sensitive attributes when creating a new domain.

2007-05-14 	BEA07-162.00 	The WebLogic console may display certain Web Service 
sensitive attributes in clear text

2007-05-14 	BEA07-161.00 	WebLogic Server Embedded LDAP may be susceptible to a 
brute force attack

2007-05-14 	BEA07-160.00 	Security policies may not be enforced on WebLogic JMS 
servers

2007-05-14 	BEA07-159.00 	Requests served through WebLogic proxy servlets may 
acquire elevated privileges


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC