SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express

From: Caleb Sima (csimaat_private)
Date: Mon Mar 17 2003 - 09:09:50 PST

Next message: dong-h0un U: "[INetCop Security Advisory #2002-0x82-013] Kebi Academy 2001 Web Solution Directory Traversing Vulnerability."

Previous message: Jeffrey Altman: "[Full-Disclosure] Re: [ADVISORY] Timing Attack on OpenSSL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Remote Administration of BEA WebLogic Server and Express 

Release Date:
March 18, 2003

Severity:
High

Systems Affected:
•	WebLogic Server and Express 6.0
•	WebLogic Server and Express 6.1
•	WebLogic Server and Express 7.0 


Description:
SPI Labs and S21sec have identified a serious vulnerability that could
allow an attacker to gain unauthorized access to the applications and
systems present on an affected Weblogic server.

Several undocumented applications were found, which are, deployed in
default configurations of Weblogic.  Some of these applications are used
by Weblogic for server-to-server communication during internal
maintenance and administration tasks, such as source code distribution
and modification.

Further analysis revealed that many of these applications were not
adequately protected from unauthorized use.  In some cases, no
authentication was required to perform administrative functions.  The
threat posed by the existence of these unprotected applications is
severe.  If an attacker can directly access a Weblogic server, it is
reasonable to assume that the presence of this vulnerability can
ultimately result in a compromise of the applications residing on the
server.

Because these applications are not intended to be user-configurable or
user identifiable, no configuration workaround exists.  BEA has issued a
patch that corrects this issue.  SPI Labs recommends that it be applied
to all Weblogic installations immediately.

Remediation:
SPI Labs recommends the following actions:
•	For WebLogic Server and Express 6.0
o	Upgrade to Service Pack 2 Rolling Patch 3 and follow the
instructions to apply the included patch:
•	For Weblogic Server and Express 6.1
o	Upgrade to Service Pack 4 and follow the instructions to apply
the included patch:
o	When Service Pack 5 becomes available, you may use that Service
Pack instead of Service Pack 4 and the patch
•	For WebLogic Server and Express 7.0 released or 7.0.0.1
o	Upgrade to Service Pack 2 and follow the instructions to apply
the included patch:
o	When Service Pack 3 becomes available, you may use that Service
Pack instead of Service Pack 2 and the patch

Vendor Information:
BEA has been notified of this issue and has released the patch
information described above at the following link:

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.
jsp

Next message: dong-h0un U: "[INetCop Security Advisory #2002-0x82-013] Kebi Academy 2001 Web Solution Directory Traversing Vulnerability."
Previous message: Jeffrey Altman: "[Full-Disclosure] Re: [ADVISORY] Timing Attack on OpenSSL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 17 2003 - 10:17:14 PST