SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic Server and Express Access Control Bug Lets Remote Authenticated Users Delete Empty Sub-Contexts
SecurityTracker Alert ID:  1006310
SecurityTracker URL:  http://securitytracker.com/id/1006310
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 18 2003
Impact:   Denial of service via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): WebLogic Server and Express 7.0 and 7.0.0.1
Description:   An access control vulnerability was reported in BEA's WebLogic Server and Express products. A remote authenticated user could delete information on the server.

It is reported that there is a coding error in the WebLogic Server that may allow any remote authenticated user to delete empty sub-contexts.

The Java Naming and Directory Interface (JNDI) API "modify" access permission does not protect against the deletion of empty sub-contexts, according to the vendor report.

Impact:   A remote authenticated user may be able to delete empty JNDI sub-contexts, even if they are not permitted to.
Solution:   The vendor has released the following fix for WebLogic Server and Express 7.0 and 7.0.0.1:

Upgrade to Service Pack 2

Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-29.jsp (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), OpenVMS, OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  SECURITY ADVISORY (BEA03-29.00)


http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-29.jsp

BEA Systems issued a security advisory (BEA03-29.00) warning customers of a coding error in the
WebLogic Server that may allow any remote authenticated user to delete empty sub-contexts.

The Java Naming and Directory Interface (JNDI) API "modify" access permission does not protect
against the deletion of empty sub-contexts, according to the report.

The following versions are affected:

* WebLogic Server and Express 7.0 and 7.0.0.1, on all platforms


The vendor has released the following fix for WebLogic Server and Express 7.0 and 7.0.0.1:

Upgrade to Service Pack 2

-----

Severity: Low


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC