A vulnerability exists in various versions of Weblogic Server and Weblogic Express when a client logs in multiple times as different users using RMI (Remote Method Invocation) over IIOP (Internet Inter-ORB Protocol). This may reportedly result in an RMI method being executed under the wrong identity. Affected versions: WebLogic Server and WebLogic Express 8.1, on all platforms, WebLogic Server and WebLogic Express 7.0, on all platforms, and WebLogic Server and WebLogic Express 6.1, on all platforms.
7c596d91f9fead17e5b14f54e34f7f6c2e74de76810cffc996835d9e9049a456<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en"><head><title>A remedy is available to prevent unexpected user identity</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="Content-Language" content="en-us">
<!--link rel="stylesheet" href="/images/styles.css" -->
<style type="text/css" media="all">@import "http://dev2dev.bea.com/homepage/fonts.css";</style>
<script language="javascript" src="BEA04_62.00_files/mainlib.js"></script>
<meta name="decorator" content="dev2dev">
<meta name="breadcrumb" content="advisoriesnotifications">
<meta name="notPrintable" content="true">
<meta name="noCommentsEmail" content="true"></head>
<body bgcolor="#ffffff">
<div class="breadcrumb">
<a href="http://dev2dev.bea.com/index.jsp">dev2dev Home</a> > Advisories<br>
</div>
<div id="content">
<div id="summary">
<img src="BEA04_62.00_files/h1_advisories.gif" alt="BEA Advisories & Notifications">
<div class="title_line"></div>
</div>
<b>Security Advisory:</b> (BEA04-62.00)<br><br>
<b>From:</b> BEA Systems Inc.
<br><br>
<b>Minor Subject:</b> A remedy is available to prevent unexpected user identity
<br><br>
<b>Product(s) Affected:</b> WebLogic Server and WebLogic Express
<br><br> Threat level: Low – this vulnerability requires a single client
JVM to log into WebLogic Server more than once using RMI over the IIOP
protocol. <br><br>
Severity: Low – there is the potential one user could execute an RMI method under the wrong identity
<br><br> Recently a problem was identified that could potentially cause
a security vulnerability in certain versions of WebLogic Server and
WebLogic Express. Patches are available to correct this problem (see
Section II). BEA System treats potential security problems with the
highest degree of urgency and does everything possible to ensure the
security of all customer assets. As a result, BEA systems strongly
suggests the following actions: <br><br>
<blockquote>
I. Read the following advisory.<br>
II. Apply the suggested action.<br>
III. If you know of any additional users interested in future security
advisories, please forward them the registration instructions below. </blockquote>
<br>
<h3>I. Advisory</h3> This vulnerability can occur when a client logs
into WebLogic Server multiple times as different users. The
documentation describes the behavior of the client when RMI requests
are made when there is no current user associated with the client’s
thread. While correct for RMI over T3, this description is incorrect
for RMI over the IIOP protocol and any client that relied on the
documented behavior may get an unexpected user identity in an RMI call.<br><br>
The remedy below updates the documentation to address this vulnerability.
<br><br>
<b> The following versions of WebLogic Server and WebLogic Express are affected by this vulnerability. </b>
<br><br>
<ul>
<li> WebLogic Server and WebLogic Express 8.1, on all platforms </li>
<li> WebLogic Server and WebLogic Express 7.0, on all platforms </li>
<li> WebLogic Server and WebLogic Express 6.1, on all platforms </li>
</ul>
<h3>II. SUGGESTED ACTION</h3>
BEA strongly recommends the following course of actions:
<br><br>
<ul>
<li><b>For WebLogic Server and WebLogic Express 8.1 </b></li><br>
Read the updated documentation at: <a href="http://e-docs.bea.com/wls/docs81/jndi/jndi.html#478033">http://e-docs.bea.com/wls/docs81/jndi/jndi.html#478033</a>
<br>
and ensure that your client code is written correctly with regards to the updated documentation.
<br><br>
<li><b> For WebLogic Server and WebLogic Express 7.0</b></li><br>
Read the updated documentation at: <a href="http://e-docs.bea.com/wls/docs70/jndi/jndi.html#477188">http://e-docs.bea.com/wls/docs70/jndi/jndi.html#477188</a>
<br>
and ensure that your client code is written correctly with regards to the updated documentation.
<br><br>
<li><b>For WebLogic Server and WebLogic Express 6.1 </b></li><br>
Read the updated documentation at: <a href="http://e-docs.bea.com/wls/docs61/jndi/jndi.html#477126">http://e-docs.bea.com/wls/docs61/jndi/jndi.html#477126</a>
<br>
and ensure that your client code is written correctly with regards to the updated documentation.
<br><br>
</ul>
<b>BEA strongly suggests that customers apply the remedies recommended in all our security advisories.</b>
BEA also urges customers to apply every Service Pack as they are
released. Service Packs include a roll-up of all bug fixes for each
version of the product, as well as each of the prior Service Packs.
Service Packs and information about them can be found at: <br><br>
<a href="http://commerce.beasys.com/downloads/weblogic_server.jsp#wls">http://commerce.beasys.com/downloads/weblogic_server.jsp#wls </a>
<br><br>
<b>Note:</b> Information about securing WebLogic Server and WebLogic Express can be found at <a href="http://e-docs.bea.com/wls/docs81/security.html">http://e-docs.bea.com/wls/docs81/security.html</a>, Specific lockdown information is provided at <a href="http://e-docs.bea.com/wls/docs81/lockdown/index.html">http://e-docs.bea.com/wls/docs81/lockdown/index.html</a>. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.
<br><br>
<h3>III. FUTURE SECURITY COMMUNICATIONS</h3> As a corporate policy, if
there are any security-related issues with any BEA product, BEA Systems
will distribute an advisory and instructions with the appropriate
course of action. Because the security of your site, data, and code is
our highest priority, we are committed to communicating all
security-related issues clearly and openly. <br><br>
All previous advisories and notifications can be viewed at <a href="http://dev2dev.bea.com/advisories/">http://dev2dev.bea.com/advisories/</a>
<br><br> BEA Systems has established an opt-in emailing list
specifically targeted for product security advisories and
notifications. As a policy, if a user has opted-in to our emailing list
and there are any security issues with the BEA product(s) he/she is
using, BEA will distribute an advisory and instructions via email with
the appropriate course of action. <br><br>
ADDITIONAL USERS WHO WISH TO REGISTER FOR ADVISORY DISTRIBUTION SHOULD FOLLOW THE REGISTRATION DIRECTIONS AT <a href="http://dev2dev.bea.com/advisories">http://dev2dev.bea.com/advisories</a>
<br><br>
<h3>IV. REPORTING SECURITY ISSUES</h3>
Security issues can be reported to BEA by sending email to <a href="mailto:secalert@bea.com">secalert@bea.com</a> or by following the directions at <a href="http://dev2dev.bea.com/advisories/">http://dev2dev.bea.com/advisories/</a>.
All reports of security issues will be promptly reviewed and all
necessary actions taken to ensure the continued security of all
customer assets. <br><br>
If you have any questions or care to verify the authenticity of this advisory, please contact BEA Technical Support at <a href="mailto:support@bea.com">support@bea.com</a>
<br><br>
Thank you,<br>
BEA Systems, Inc.
<br><br>
</div>
</div>
<div id="footer">
<a href="http://www.bea.com/contact/index.shtml">Contact BEA</a>
<a href="http://dev2dev.bea.com/sitemap/index.jsp">Site Map</a>
<a href="http://dev2dev.bea.com/index.xml">RSS</a>
<a href="http://dev2dev.bea.com/surveys/">Feedback</a>
<a href="http://www.bea.com/framework.jsp?CNT=privacy.htm&FP=/content/legal/">Privacy</a>
© 2004 BEA Systems
<a href="http://dev2dev.bea.com.cn/"><img src="BEA04_62.00_files/intl_cn.gif" alt="dev2dev China"></a>
<a href="http://www.beasys.co.jp/dev2dev/"><img src="BEA04_62.00_files/intl_jp.gif" alt="dev2dev Japan"></a>
<div class="twodots"><img src="BEA04_62.00_files/_.gif" width="300" height="4" alt=""></div>
<div class="redline"><img src="BEA04_62.00_files/_.html" width="200" height="4" alt=""></div>
</div>
<!-- START OF Data Collection Server TAG -->
<script language="JavaScript" src="BEA04_62.00_files/wt_util.js"></script>
<script language="JavaScript">
<!--
dcs_TAG(TagPath);
//-->
</script>
<noscript>
<img border="0" name="DCSIMG" width="1" height="1" src="http://63.96.161.95/njs.gif?dcsuri=/nojavascript">
</noscript>
<!-- END OF Data Collection Server TAG -->
</body></html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed