Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Oracle WebLogic Vendors:   BEA Systems
WebLogic Portal Policy Modification Errors May Let Remote Users Access Resources
SecurityTracker Alert ID:  1017521
SecurityTracker URL:
CVE Reference:   CVE-2007-0423, CVE-2007-0426   (Links to External Site)
Updated:  May 19 2008
Original Entry Date:  Jan 16 2007
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): WebLogic Portal 9.2
Description:   Two vulnerabilities were reported in WebLogic Portal. A remote user may be able to access resources on the target system.

When an administrative user deletes entitlements for a given role, entitlements for other roles may be adversely affected. This may allow a remote user to access certain resources.

Systems that use roles and entitlements to manage WebLogic Portal resources are affected by the first vulnerability [BEA07-151.00].

When an administrative user modifies a WebLogic Portal entitlement policy on a managed server while the Administrative Server is down, the system may fail to propagate the policy modifications to other managed servers in the cluster.

Systems configured in a WebLogic Server clustered environment and using WebLogic Portal entitlements to manage WebLogic Portal resources are affected by the second vulnerability [BEA07-156.00].

Impact:   A remote user can may be able to gain access to resources on the target system.
Solution:   The vendor has issued two fixes and indicates that administrators should use the Smart Update tool to install the patch for CR284907 and CR293511.

The fixes will be included in WebLogic Portal 9.2 Maintenance Pack 1.

The BEA advisories are available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)

Message History:   None.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC