SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic May Disclose One User's Session Data to Another User
SecurityTracker Alert ID:  1006018
SecurityTracker URL:  http://securitytracker.com/id/1006018
CVE Reference:   CVE-2003-1438   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jan 30 2003
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.1, 6.0, 6.1, 7.0, and 7.0.0.1
Description:   An access control vulnerability was reported in BEA's WebLogic Server and Express. The system may incorrectly share session data between two users.

It is reported that session data may be shared between two users when the application uses in-memory session replication or replicated stateful session beans. The flaw is due to a race condition in a clustered environment that results in two users being returned the same internal buffer, according to BEA.

BEA states that this flaw is rare and "cannot be intentionally exploited."

[Editor's note: In Alert 1005310 we described a similar flaw that BEA reported in their Security Advisory BEA02-20.00. It is not clear if these two flaws are related.]

Impact:   The system may return one user's session data to another user.
Solution:   The vendor has released fixes for WebLogic Server and Express, as described below.

For WebLogic Server and Express 5.1, the vendor recommends upgrading to Service Pack 13 and applying the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_510sp13.jar

Service Pack 14 will include this patch.


For WebLogic Server and Express 6.0, BEA recomends upgrading to Service Pack 2 Rolling Patch 3 and applying the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_60sp2rp3.jar


For WebLogic Server and Express 6.1, BEA recommends upgrading to Service Pack 4 and applying the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_61sp4.jar

The vendor plans to include this patch in Service Pack 5.


For WebLogic Server and Express 7.0 and 7.0.0.1, the vendor recommends upgrading to Service Pack 1 and applying the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_70sp1.jar

The vendor plans to include this patch in Service Pack 2.


Service Packs and related information are available at:

http://commerce.beasys.com/downloads/weblogic_server.jsp#wls

Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA03-26.htm (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), OpenVMS, OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Revised Advisory) Re: BEA WebLogic May Disclose One User's Session Data to Another User
The vendor has revised their advisory to indicate that WebLogic Server 7.0 Service Pack 2 does not correct the problem.



 Source Message Contents

Subject:  BEA03-26.00


http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components
%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA03-26.htm

BEA issued a security advisory (BEA03-26.00) notifying customers of a patch that can prevent session
sharing on WebLogic Server and Express.

It is reported that session data may be shared between two users when the application uses in-memory
session replication or replicated stateful session beans.  The flaw is due to a race condition in a
clustered environment that results in two users being returned the same internal buffer, according
to BEA.  BEA states that this flaw is rare and "cannot be intentionally exploited."

WebLogic Server and Express versions 5.1, 6.0, 6.1, 7.0 and 7.0.0.1 are affected.


For WebLogic Server and Express 5.1, the vendor recommends upgrading to Service Pack 13 and applying
the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_510sp13.jar

Service Pack 14 will include this patch.


For WebLogic Server and Express 6.0, BEA recomends upgrading to Service Pack 2 Rolling Patch 3 and
applying the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_60sp2rp3.jar


For WebLogic Server and Express 6.1, BEA recommends upgrading to Service Pack 4 and applying the
following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_61sp4.jar

The vendor plans to include this patch in Service Pack 5.


For WebLogic Server and Express 7.0 and 7.0.0.1, the vendor recommends upgrading to Service Pack 1
and applying the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_70sp1.jar

The vendor plans to include this patch in Service Pack 2.


Service Packs and related information are available at:

http://commerce.beasys.com/downloads/weblogic_server.jsp#wls

Threat level: low

Severity: high


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC