|
|
>> BEA Products Multiple Security Bypass and Information Disclosure Vulnerabilities
|
Multiple vulnerabilities have been identified in BEA products, which could be exploited by attackers or malicious users to bypass security checks, disclose sensitive information or cause a denial of service.
The first issue is caused by input validation errors when processing user-supplied data, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected application.
The second vulnerability is caused by an error within the WebLogic Server SSL port, which could be exploited by attackers to cause a denial of service by accessing the socket when it is half-closed.
The third issue is caused by an error when editing the role description via the WebLogic Portal Administration Console or via a portal application using the WebLogic Portal APIs, which could be exploited by an authenticated WebLogic Portal administrator or Delegated administrator to corrupt a visitor entitlements role.
The fourth vulnerability is caused by an input validation error within the GroupSpace application when rendering HTML, which could be exploited by an authenticated attacker to cause arbitrary scripting code to be executed by other users' browsers.
The fifth issue is caused by an incorrect use of the username and password defined in the Bridge-destination configuration, which could be exploited by attackers to send unauthorized messages to a protected queue.
The sixth vulnerability is caused by an error in the Administration Console that ignores Domain Security Policies, which could be exploited by a malicious Administrator or Deployer to upload malicious files.
The seventh issue is casued by an error in the "configToScript" command that does not encrypt sensitive attributes within a WLST script (in particular, the node manager password) when creating a new domain, which could be exploited by malicious users to obtain sensitive information and gain unauthorized access to a vulnerable application.
The eighth vulnerability is caused by an error in the Administration Console that displays sensitive attributes in clear text during the Web Service configuration, which could be exploited by malicious users to disclose and use values of sensitive attributes to gain access to certain web services.
The ninth issue is caused by an error in the embedded LDAP module that does not limit nor audit failed login attempts, which could be exploited to mount brute force and denial of service attacks against a vulnerable application.
The tenth vulnerability is caused by an error in JMS that does not perform security access checks on the back-end server, which could be exploited by attackers to perform unauthorized operations (read or write) on a protected queue.
The eleventh issue is caused by errors in "HttpClusterServlet" and "HttpProxyServlet" when configured with the "SecureProxy" parameter, which could be exploited by attackers to send external requests to administrative resources.
The twelfth issue is caused by an error in the Workshop Test View that reveals parent directory information to the WebLogic Workshop Directory (wlwdir) when the application is deployed in an exploded format in a development environment, which could be exploited to obtain sensitive information that will facilitate further attacks.
The thirteenth vulnerability is caused by an error in SSL when handling RSA signatures, which could be exploited by attackers to forge signatures. For additional information, see : VUPEN/ADV-2006-3453
Affected Products
BEA WebLogic Server versions 9.x
BEA WebLogic Server versions 8.x
BEA WebLogic Server versions 7.x
BEA WebLogic Server versions 6.x
BEA WebLogic Portal versions 9.x
BEA WebLogic Integration versions 9.x
BEA WebLogic Workshop/Integration versions 8.x
Solution
BEA WebLogic Server patches :
http://commerce.bea.com/showallversions.jsp?family=WLS
BEA WebLogic Platform patches :
http://commerce.bea.com/showallversions.jsp?family=WLP
References
http://www.vupen.com/english/advisories/2007/1815
http://dev2dev.bea.com/pub/advisory/239
http://dev2dev.bea.com/pub/advisory/238
http://dev2dev.bea.com/pub/advisory/237
http://dev2dev.bea.com/pub/advisory/236
http://dev2dev.bea.com/pub/advisory/235
http://dev2dev.bea.com/pub/advisory/234
http://dev2dev.bea.com/pub/advisory/233
http://dev2dev.bea.com/pub/advisory/231
http://dev2dev.bea.com/pub/advisory/232
http://dev2dev.bea.com/pub/advisory/230
http://dev2dev.bea.com/pub/advisory/229
http://dev2dev.bea.com/pub/advisory/228
http://dev2dev.bea.com/pub/advisory/227
Credits
Vulnerabilities reported by the vendor, ACROS Security, DV Bern AG, Application Security and GomoR.
ChangeLog
2007-05-15 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
