SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic Bug In Parsing XML DTDs May Let Remote Users Crash the Server
SecurityTracker Alert ID:  1005795
SecurityTracker URL:  http://securitytracker.com/id/1005795
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 12 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): WebLogic Integration 2.1 and 7.0; WebLogic Server and Express 6.0, 6.1, 7.0 and 7.0.0.1
Description:   A denial of service vulnerability was reported in the BEA WebLogic platform, including the WebLogic Integration and WebLogic Server and Express products. A remote user may be able to crash the system.

It is reported that a remote user can create specially crafted entity references in an XML Document Type Definition (DTD) to cause the Xerces parser to consume all available processing resources and crash. The vulnerable Xerces parser is part of WebLogic Server 6.1 and WebLogic Server 7.0.

According to the report, web services hosted on WebLogic Server are not affected, as the parser does not parse DTDs.

BEA has assigned a severity level of "low" to this vulnerability.

BEA Systems credits Sanctum, Inc. with reporting this flaw.

Impact:   A remote user may be able to cause the service to consume all available resources and crash.
Solution:   BEA recommends that WebLogic Integration 2.1 users upgrade to WebLogic Server 6.1 Service Pack 3 and apply the Weblogic Server patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_610sp3.jar

BEA notes that when WebLogic Integration 2.1 has been certified with WebLogic Server 6.1 Service Pack 5, you can use that version instead of applying Service Pack 3 with the above mentioned patch.

BEA recommends that WebLogic Integration 7.0 users upgrade to WebLogic Integration 7.0 Service pack 1 and apply the WebLogic Server patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_700sp1.jar

Service Pack 2 will include the fix.

BEA recommends that WebLogic Server 7.0 or WebLogic Server 7.0.0.1 users upgrade to WebLogic Server 7.0 Service Pack 1 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_700sp1.jar

WebLogic Server 7.0 Service Pack 2 will include this fix.

BEA recommends that WebLogic Server 6.1 users upgrade to WebLogic Server 6.1 SP4 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_610sp4.jar

WebLogic Server 6.1 Service Pack 5 will include this fix.

BEA recommends that users of WebLogic Server 6.0 upgrade to WebLogic Server 6.0 Service Pack 2 Rolling Patch 3 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_600sp2rp3.jar

With all of the above listed patches, you must set the WebLogic system property "weblogic.apache.xerces.maxentityrefs" to the maximum number of entity references that may be resolved in an XML document. According to BEA, that same value is also used to limit the maximum number of entity references that may be resolved in the DTD.

Service Packs and information about the Service Packs is available at:

http://commerce.beasys.com/downloads/weblogic_server.jsp#wls

Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesno (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), OpenVMS, UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  BEA XML DTD parsing bug


http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm

BEA Systems issued a security advisory (BEA02-23.00) announcing the availability of a
patch to correct a denial of service vulnerability in the XML parsing function of BEA
WebLogic Platform, WebLogic Integration, WebLogic Server and Express.


It is reported that a remote user can create specially crafted entity references in an XML
Document Type Definition (DTD) to cause the Xerces parser to consume all available
processing resources and crash.  The vulnerable Xerces parser is part of WebLogic Server
6.1 and WebLogic Server 7.0. 

According to the report, web services hosted on WebLogic Server are not affected, as the
parser does not parse DTDs.

BEA has assigned a severity level of "low" to this vulnerability.

BEA Systems credits Sanctum, Inc. with reporting this flaw.


Affected Versions:

BEA WebLogic Integration 2.1 and 7.0.
BEA WebLogic Server and Express 6.0, 6.1, 7.0 and 7.0.0.1.


Solution:

BEA recommends that WebLogic Integration 2.1 users upgrade to WebLogic Server 6.1 Service
Pack 3 and apply the Weblogic Server patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_610sp3.jar

BEA notes that when WebLogic Integration 2.1 has been certified with WebLogic Server 6.1
Service Pack 5, you can use that version instead of applying Service Pack 3 with the above
mentioned patch.

BEA recommends that WebLogic Integration 7.0 users upgrade to WebLogic Integration 7.0
Service pack 1 and apply the WebLogic Server patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_700sp1.jar

Service Pack 2 will include the fix.

BEA recommends that WebLogic Server 7.0 or WebLogic Server 7.0.0.1 users upgrade to
WebLogic Server 7.0 Service Pack 1 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_700sp1.jar

WebLogic Server 7.0 Service Pack 2 will include this fix.

BEA recommends that WebLogic Server 6.1 users upgrade to WebLogic Server 6.1 SP4 and apply
the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_610sp4.jar

WebLogic Server 6.1 Service Pack 5 will include this fix.

BEA recommends that users of WebLogic Server 6.0 upgrade to WebLogic Server 6.0 Service
Pack 2 Rolling Patch 3 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR091862_600sp2rp3.jar

 
With all of the above listed patches, you must set the WebLogic system property
"weblogic.apache.xerces.maxentityrefs" to the maximum number of entity references that may
be resolved in an XML document.  According to BEA, that same value is also used to limit
the maximum number of entity references that may be resolved in the DTD.

Service Packs and information about the Service Packs is available at:

http://commerce.beasys.com/downloads/weblogic_server.jsp#wls



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC