SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
(Vendor Issues Revised Advisory) Re: BEA WebLogic May Disclose One User's Session Data to Another User
SecurityTracker Alert ID:  1006318
SecurityTracker URL:  http://securitytracker.com/id/1006318
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 18 2003
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.1, 6.0, 6.1, 7.0, and 7.0.0.1
Description:   An access control vulnerability was reported in BEA's WebLogic Server and Express. The system may incorrectly share session data between two users.

It is reported that session data may be shared between two users when the application uses in-memory session replication or replicated stateful session beans. The flaw is due to a race condition in a clustered environment that results in two users being returned the same internal buffer, according to BEA.

BEA states that this flaw is rare and "cannot be intentionally exploited."

[Editor's note: In Alert 1005310 we described a similar flaw that BEA reported in their Security Advisory BEA02-20.00. It is not clear if these two flaws are related.]

Impact:   The system may return one user's session data to another user.
Solution:   The vendor has revised their advisory to indicate that, counter to what was reported in their original advisory, WebLogic Server 7.0 Service Pack 2 does not correct the problem. The vendor asks that you disregard the previous advisory (SECURITY ADVISORY BEA03-26.00).

The following fixes are available:

For WebLogic Server and Express 5.1:

Upgrade to Service Pack 13 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_510sp13.jar

When Service Pack 14 is available, you may use that Service Pack instead of Service Pack 13 plus this patch.


For WebLogic Server and Express 6.0:

Upgrade to Service Pack 2 Rolling Patch 3 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_60sp2rp3.jar


For WebLogic Server and Express 6.1:

Upgrade to Service Pack 4 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_61sp4.jar

When Service Pack 5 is available, you may use that Service Pack instead of Service Pack 4 plus this patch.


For WebLogic Server and Express 7.0 and 7.0.0.1:

Upgrade to Service Pack 2 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_70sp2.jar

When Service Pack 3 is available, you may use that Service Pack instead of Service Pack 2 plus this patch.

Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-26.01.jsp (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Linux), Linux (SuSE), OpenVMS, OS/400, UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 30 2003 BEA WebLogic May Disclose One User's Session Data to Another User



 Source Message Contents

Subject:  Updated BEA Advisory BEA03-26.01


http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-26.01.jsp

BEA Systems issued an updated advisory (BEA03-26.01) for WebLogic Server and Express.  In the
earlier version of this advisory (BEA03-26.00), the vendor reported that WebLogic Server 7.0 Service
Pack 2 correct the flaw when it actually did not correct the flaw.

The vendor asks that you disregard SECURITY ADVISORY BEA03-26.00.


The following versions are affected by this vulnerability:

WebLogic Server and Express, 5.1, 6.0, 6.1, 7.0 and 7.0.0.1, on all platforms.


BEA has issued the following fixes:


For WebLogic Server and Express 5.1

Upgrade to Service Pack 13 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_510sp13.jar

When Service Pack 14 is available, you may use that Service Pack instead of Service Pack 13 plus
this patch.


For WebLogic Server and Express 6.0

Upgrade to Service Pack 2 Rolling Patch 3 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_60sp2rp3.jar


For WebLogic Server and Express 6.1

Upgrade to Service Pack 4 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_61sp4.jar

When Service Pack 5 is available, you may use that Service Pack instead of Service Pack 4 plus this
patch.


For WebLogic Server and Express 7.0 and 7.0.0.1

Upgrade to Service Pack 2 and apply the patch:

ftp://ftpna.beasys.com/pub/releases/security/CR094773_70sp2.jar

When Service Pack 3 is available, you may use that Service Pack instead of Service Pack 2 plus this
patch.

-----

Severity: High


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC