NI3
11-15-2003, 04:41 PM
TITLE:
BEA WebLogic Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA10218
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS
WHERE:
From remote
SOFTWARE:
BEA WebLogic Server 8.x
BEA WebLogic Server 7.x
BEA WebLogic Server 6.x
BEA WebLogic Express 8.x
BEA WebLogic Express 7.x
BEA WebLogic Express 6.x
DESCRIPTION:
BEA has issued patches for BEA WebLogic Server and Express. These fix
5 different vulnerabilities, which can be exploited to cause a Denial
of Service or expose sensitive information.
1) The ***** plug-in fails to handle certain incorrectly formatted
URLs allowing malicious people to crash the ***** plug-in. This
causes the websites to become inaccessible.
2) WebLogic may fail to wrap T3 in SSL when the URI handler has been
specified as T3S. This happens if the port for the non-SSL enabled
port is specified. This may expose data, which should be protected.
3) Passwords for foreign JMS providers are showed in clear-text in
the console and is stored in clear-text in the "config.xml" file.
This may expose the passwords to untrusted users.
4) Node Manager fails to handle invalid data such as data generated
by port scanning tools. This may cause Node Manager to crash or stop
responding.
5) The default settings for sites expose MBeanHome to anonymous users
from JNDI with RMI access. This may expose various configuration
MBeans.
WebLogic Server and Express 6.1 is affected by issues 1, 4, and 5.
WebLogic Server and Express 7.0 is affected by issues 1, 2, 4, and
5.
WebLogic Server and Express 8.1 is affected by issues 1, 2, 3, 4, and
5.
SOLUTION:
Patches and workarounds are available:
1) Patch with export strength SSL encryption:
Linux / Unix:
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
Windows:
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
Contact BEA Customer Support for domestic strength SSL.
2)
For WebLogic Server and Express 8.1:
ftp://ftpna.beasys.com/pub/releases/security/CR107363_810sp1.jar
For WebLogic Server and Express 7.0 and 7.0.0.1:
ftp://ftpna.beasys.com/pub/releases/security/CR107363_700sp4.jar
3)
For WebLogic Server and Express 8.1:
ftp://ftpna.beasys.com/pub/releases/security/CR124344_81sp1.jar
4)
For WebLogic Server and Express 8.1:
ftp://ftpna.beasys.com/pub/releases/security/CR125829_810sp1.jar
For WebLogic Server and Express 7.0 and 7.0.0.1:
ftp://ftpna.beasys.com/pub/releases/security/CR125829_700sp4.jar
For WebLogic Server and Express 6.1:
ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar
5) See original advisory for information about "best practices".
[Only registered and activated users can see links]
ORIGINAL ADVISORY:
Remedies available to prevent Denial of Service
[Only registered and activated users can see links]
Patches available to prevent unintended use of nonencypted connection
[Only registered and activated users can see links]
Patches available to protect password
[Only registered and activated users can see links]
Patches available to protect Node Manager
[Only registered and activated users can see links]
Workaround available to prevent Mbean exposure
[Only registered and activated users can see links]
----------------------------------------------------------------------
BEA WebLogic Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA10218
VERIFY ADVISORY:
[Only registered and activated users can see links]
CRITICAL:
Moderately critical
IMPACT:
Exposure of sensitive information, DoS
WHERE:
From remote
SOFTWARE:
BEA WebLogic Server 8.x
BEA WebLogic Server 7.x
BEA WebLogic Server 6.x
BEA WebLogic Express 8.x
BEA WebLogic Express 7.x
BEA WebLogic Express 6.x
DESCRIPTION:
BEA has issued patches for BEA WebLogic Server and Express. These fix
5 different vulnerabilities, which can be exploited to cause a Denial
of Service or expose sensitive information.
1) The ***** plug-in fails to handle certain incorrectly formatted
URLs allowing malicious people to crash the ***** plug-in. This
causes the websites to become inaccessible.
2) WebLogic may fail to wrap T3 in SSL when the URI handler has been
specified as T3S. This happens if the port for the non-SSL enabled
port is specified. This may expose data, which should be protected.
3) Passwords for foreign JMS providers are showed in clear-text in
the console and is stored in clear-text in the "config.xml" file.
This may expose the passwords to untrusted users.
4) Node Manager fails to handle invalid data such as data generated
by port scanning tools. This may cause Node Manager to crash or stop
responding.
5) The default settings for sites expose MBeanHome to anonymous users
from JNDI with RMI access. This may expose various configuration
MBeans.
WebLogic Server and Express 6.1 is affected by issues 1, 4, and 5.
WebLogic Server and Express 7.0 is affected by issues 1, 2, 4, and
5.
WebLogic Server and Express 8.1 is affected by issues 1, 2, 3, 4, and
5.
SOLUTION:
Patches and workarounds are available:
1) Patch with export strength SSL encryption:
Linux / Unix:
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
Windows:
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
Contact BEA Customer Support for domestic strength SSL.
2)
For WebLogic Server and Express 8.1:
ftp://ftpna.beasys.com/pub/releases/security/CR107363_810sp1.jar
For WebLogic Server and Express 7.0 and 7.0.0.1:
ftp://ftpna.beasys.com/pub/releases/security/CR107363_700sp4.jar
3)
For WebLogic Server and Express 8.1:
ftp://ftpna.beasys.com/pub/releases/security/CR124344_81sp1.jar
4)
For WebLogic Server and Express 8.1:
ftp://ftpna.beasys.com/pub/releases/security/CR125829_810sp1.jar
For WebLogic Server and Express 7.0 and 7.0.0.1:
ftp://ftpna.beasys.com/pub/releases/security/CR125829_700sp4.jar
For WebLogic Server and Express 6.1:
ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar
5) See original advisory for information about "best practices".
[Only registered and activated users can see links]
ORIGINAL ADVISORY:
Remedies available to prevent Denial of Service
[Only registered and activated users can see links]
Patches available to prevent unintended use of nonencypted connection
[Only registered and activated users can see links]
Patches available to protect password
[Only registered and activated users can see links]
Patches available to protect Node Manager
[Only registered and activated users can see links]
Workaround available to prevent Mbean exposure
[Only registered and activated users can see links]
----------------------------------------------------------------------