SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic Memory Session Persistence Error May Let Remote Users Access Applications
SecurityTracker Alert ID:  1006309
SecurityTracker URL:  http://securitytracker.com/id/1006309
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 18 2003
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.0, 7.0.0.1
Description:   An authentication vulnerability was reported in BEA's WebLogic Server. A remote, previously authenticated user could gain access to web applications in certain cases without having to re-authenticate.

It is reported that the vulnerability may occur in situations where a web application component that uses "memory" session persistence is redeployed without rebooting the server. In this case, a remote authenticated user that had authenticated prior to the reboot may be able to gain access to the web application without having to authenticate again. This can occur even if a long period of time has passed since the original authentication, according to BEA.

BEA states that only systems that use web applications, "memory" session persistence, and dynamic redeployment (i.e., redeployment without a reboot) are vulnerable.

Impact:   A remote user that had previously been authenticated to the server may be able to access web applications long after the time of authentication has passed.
Solution:   The vendor has issued the following fix for or WebLogic Server 7.0 released or WebLogic Server 7.0.0.1:

Apply WebLogic Server 7.0 Service Pack 2

Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-27.jsp (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), OpenVMS, OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  SECURITY ADVISORY (BEA03-27.00)


http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-27.jsp

BEA Systems issued a security advisory (BEA03-27.00) warning of a flaw in WebLogic Server and
Express that may allow rmeote users to access web applications without authenticating to the server.

It is reported that the vulnerability may occur in situations where a web application component that
uses "memory" session persistence is redeployed without rebooting the server.  In this case, a
remote authenticated user that had authenticated prior to the reboot may be able to gain access to
the web application without having to authenticate again.  This can occur even if a long period of
time has passed since the original authentication, according to BEA.

BEA states that only systems that use web applications, "memory" session persistence, and dynamic
redeployment (i.e., redeployment without a reboot) are vulnerable.

The following versions are affected:

WebLogic Server 7.0 released or WebLogic Server 7.0.0.1 on all platforms

The vendor has issued the following fix for or WebLogic Server 7.0 released or WebLogic Server
7.0.0.1:

Apply WebLogic Server 7.0 Service Pack 2


-----

Severity: Low


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC