BEA WebLogic Server Multiple Bugs Let Remote Users Deny Service, Obtain Information, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1015029|
SecurityTracker URL: http://securitytracker.com/id/1015029
(Links to External Site)
Updated: Feb 21 2008|
Original Entry Date: Oct 10 2005
Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.1 SP7, 7.0 SP6, 8.1 SP4, 9.0; and prior service packs|
Multiple vulnerabilities were reported in BEA WebLogic Server. A remote user can cause denial of service conditions. A user may be able to obtain elevated privileges. A remote user can conduct cross-site scripting and HTTP smuggling attacks. The system may disclose user or password information.|
BEA Systems issued 22 separate advisories detailing vulnerabilities in various versions of WebLogic Server and WebLogic Express. The highest severity level assigned by the vendor is "high."
In certain situations, if a remote client logs in using one-way SSL without specifying the user, a lower level of SSL encryption may be used [BEA05-85.00]. Java client applications that use SSL but do not specify a user are affected.
If a remote Java client creates a non-SSL T3 connection to a server and then creates an SSL T3S connection to the same destination server, client may use the first non-SSL connection instead of the second SSL connection [BEA05-86.00].
A remote user can cause server threads to hang, resulting in denial of service conditions on the target server [BEA05-87.00].
A remote authenticated user can change privileges in a Web application or EJB from the Deployer security role to the Admin security role by exploiting the run-as deployment descriptor element [BEA05-88.00]. Sites using web applications and EJBs that grant the Deployer and Admin security roles are affected.
When the target server is under heavy load, audit events may be posted with the incorrect severity levels [BEA05-89.00]. Sites that auditing enabled may be affected.
A remote user may be able to determine the IP addresses of systems located behind a firewall and using network address translation [BEA05-90.00]. Only WebLogic Server 8.1 (through Service Pack 3) is affected.
A remote authenticated user can invoke the Node Manager to access the 'nodemanager.config' file to view the CustomTrustKeyStorePassPhrase in cleartext [BEA05-91.00].
If a custom Principal class has multiple PrincipalValidators, a derived Principal may be only partially validated in certain cases [BEA05-92.00]. A user may be able to tamper with a Principal within a Subject to obtain elevated privileges. Systems that use the WebLogic Authentication providers with the default Principals are not affected.
Servlet security constraints may not properly protect the root directory because the servlet root url pattern "/" is not always constrained as expected [BEA05-93.00].
A remote authenticated administrator with the Admin security role can access an internal servlet via HTTP or HTTPS to access files on the target system [BEA05-94.00]. This vulnerability only affects WebLogic Server version 8.1 through Service Pack 3.
When security policies are exported and imported across operating systems, differences in case handling may affect the enforcement of the intended policies [BEA05-95.00]. As a result, Web Application pages that may be protected on one operating system may not be protected on a different operating system.
When a new WebLogic Server domain is created using the Configuration Wizard, the passphrase for the private key used in configuring SSL is displayed on the screen and stored in the server log file [BEA05-96.00].
When an unexpected failure occurs during deployment by an authorization provider or role provider, the servlet container may mark the servlet as inaccessible but allow deployment to continue [BEA05-97.00]. If fullyDelegateAuthorization was enabled, the servlet will not be fully protected because the security framework will not have any constraints.
When a user supplies potentially sensitive system properties via the java command-line interface -D command switch when booting the server, the information is included in the server log [BEA05-98.00]. A user with access to the server log can view the information.
When a WebLogic Server is configured to run as a service on a Windows-based system, the administrative password used to boot the server is stored in the Windows registry [BEA05-99.00]. In some cases, the password is stored in clear text form. A local user can view the password to gain access to the administrative account.
In certain situations, the IIOP protocol may construct a Subject that contains a password, which may be displayed in an exception [BEA05-100.00]. A remote user or a user with access to a server-side log may be able to access the password. Systems using the IIOP protocol may be affected.
A remote user with the knowledge of the name of the admin user can make continuous invalid login attempts to lock out the target admin user [BEA05-101.00].
In certain situations, a Deployer may use the weblogic.Deployer command with the t3 protocol instead of the secure t3s protocol [BEA05-102.00]. As a result, information sent between the weblogic.Deployer command and the Administration server may be disclosed.
Multicast messages used to keep nodes of a cluster in sync are not encrypted by default [BEA05-103.00].
In certain cases, log records that are not properly formatted may cause an exception and not be published [BEA05-104.00]. If this occurs a certain number of times, no further log records will be published and no auditing of MBean configuration changes will be performed. Only WebLogic Server version 8.1 through Service Pack 4 is affected.
A remote user can issued certain HTTP requests to conduct HTTP Request Smuggling attacks against the target server [BEA05-105.00].
Relative forwarding within servlets may cause in looping stack overflow errors, resulting in denial of service conditions on the target server [BEA05-106.00].
The system does not properly limit invalid login attempts [BEA05-107.00]. Systems that use username/password authentication are affected.
A remote user can cause denial of service conditions.|
A remote user can conduct cross-site scripting and HTTP smuggling attacks.
The system may disclose user or password information.
A remote authenticated user can change application privileges.
A user may be able to obtain elevated privileges.
The vendor has issued several patches, each described in a separate advisory. The vendor advisories are available at:|
On May 15, 2006, the vendor issued a revised fix for the hanging thread denial of service vulnerability. BEA06-87.01 supercedes BEA05-87.00:
Vendor URL: dev2dev.bea.com/advisoriesnotifications/ (Links to External Site)
Access control error, Exception handling error, Input validation error|
|Underlying OS: Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)|
Source Message Contents
[Original Message Not Available for Viewing]
Go to the Top of This SecurityTracker Archive Page