SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
BEA WebLogic May Disclose Administrative Password in Certain Cases
SecurityTracker Alert ID:  1009766
SecurityTracker URL:  http://securitytracker.com/id/1009766
CVE Reference:   CVE-2004-0652   (Links to External Site)
Updated:  Jul 14 2004
Original Entry Date:  Apr 13 2004
Impact:   Disclosure of authentication information, Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.1 through Service Pack 2; 7.0 through Service Pack 4
Description:   A vulnerability was reported in BEA's WebLogic Server and WebLogic Express. A user with certain privileges may be able to obtain an administrative username and password.

BEA reported that a remote or local user that has privileges (or abilities) to install and execute code within the target WebLogic Server can obtain username and password information. The information can then be used to login as the Administrator or Operator user account that booted the server.
Impact:   A remote or local user with certain privileges may be able to obtain the username and password of the user that booted the server.
Solution:   The vendor recommends that version 8.1 users upgrade to SP2 and apply the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR132949_81sp2.jar

The vendor plans to include this fix in SP3.

For WebLogic Server and WebLogic Express version 7.0 users, the vendor recommends that you upgrade to Service Pack 5.
Vendor URL:  dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_55.00.jsp (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents
Subject:  http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_55.00.jsp


http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_55.00.jsp

 > Security Advisory: (BEA04-55.00)

 > From: BEA Systems Inc.

 > Minor Subject:Patches available to prevent to password exposure.

 > Product(s) Affected: WebLogic Server and WebLogic Express

A vulnerability was reported in BEA's WebLogic Server and WebLogic Express.  A remote user 
that has privileges (or abilities) to install and execute code within the targeg WebLogic 
Server can obtain username and password information.  The information can then be used to 
login as the Administrator or Operator user account that booted the server.

The following versions are affected:

8.1 through Service Pack 2
7.0 through Service Pack 4

The vendor recommends that version 8.1 users upgrade to SP2 and apply the following patch:

ftp://ftpna.beasys.com/pub/releases/security/CR132949_81sp2.jar

The vendor plans to include this fix in SP3.

For WebLogic Server and WebLogic Express version 7.0 users, the vendor recommends that you 
upgrade to Service Pack 5.


 > Threat level: Low - The vulnerability requires installed code to be exploited.
 > Severity: High - A user can potentially obtain the username and password of the
 > user who booted the server.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC