WebLogic Portal May Disclose a User's JSR-168 Portlet Contents
|
SecurityTracker Alert ID: 1015791 |
SecurityTracker URL: http://securitytracker.com/id/1015791
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 20 2006
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): WebLogic Portal 8.1 SP5 and prior service packs
|
Description:
A vulnerability was reported in WebLogic Portal. A remote user may be able to view another user's JSR-168 Portlet contents.
The system may render JSR-168 Portlet contents from the cache, where the contents belong to another user.
WebLogic Portal sites using JSR-168 Portlets are affected. Other Portlet types are not affected.
|
Impact:
A remote user can view the contents of another user's JSR-168 Portlet.
|
Solution:
The vendor has issued the following fix [quoted]:
1. Upgrade to WebLogic Portal 8.1 Service Pack 5.
2. Install the patch from:
ftp://ftpna.beasys.com/pub/releases/security/patch_CR259534_81SP5.zip
3. Follow the instructions in the README file contained in the ZIP archive.
This fix will be included in WebLogic Portal 8.1 Service Pack 6.
The vendor's advisory is available at:
http://dev2dev.bea.com/pub/advisory/182
|
Vendor URL: dev2dev.bea.com/pub/advisory/182 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|