TITLE:
BEA WebLogic 24 Vulnerabilities and Security Issues

SECUNIA ADVISORY ID:
SA17138

VERIFY ADVISORY:
http://secunia.com/advisories/17138/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass, Cross Site Scripting, Manipulation of data, Brute
force, Exposure of system information, Exposure of sensitive
information, Privilege escalation, DoS

WHERE:
>From remote

SOFTWARE:
BEA WebLogic Server 9.x
http://secunia.com/product/5822/
BEA WebLogic Server 8.x
http://secunia.com/product/1360/
BEA WebLogic Server 7.x
http://secunia.com/product/754/
BEA WebLogic Server 6.x
http://secunia.com/product/753/
BEA WebLogic Express 9.x
http://secunia.com/product/5823/
BEA WebLogic Express 8.x
http://secunia.com/product/1843/
BEA WebLogic Express 7.x
http://secunia.com/product/1282/
BEA WebLogic Express 6.x
http://secunia.com/product/1281/

DESCRIPTION:
24 vulnerabilities and security issues have been reported in WebLogic
Server and WebLogic Express, where the most critical ones potentially
can be exploited by malicious users to gain escalated privileges and
by malicious people to conduct cross-site scripting and HTTP request
smuggling attacks, cause a DoS (Denial of Service), and bypass
certain security restrictions.

1) An error in the thread handling of the server can be exploited by
malicious clients to hang threads on a vulnerable server.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

2) Some unspecified input isn't properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's or administrator's browser session in
context of an affected site.

This is related to vulnerability #6 in:
SA15486

The vulnerability affects the following versions:
* WebLogic Server / Express 9.0 initial release (all platforms)
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

3) The problem is that Java client applications using the SSL
protocol without specifying a user, may in certain situations be
communicating insecurely with an unencrypted protocol.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

4) The problem is that if a Java client application creates both
insecure and secure (SSL) connections to a server, then an insecure
connection will be established instead of the intended secure
connection in certain situations.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

5) An error in the deploying of Web applications and EJBs can be
exploited by a malicious web application with Deployer privileges to
gain Admin privileges via the run-as deployment descriptor element.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)

6) The problem is that under heavy load some audit events may be
posted with incorrect severity levels for sites which has auditing
enabled. This may cause some customer filtering software to miss
certain audit events.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)

7) The problem is that IP addresses of machines behind a firewall can
be disclosed by a malicious person via NAT (Network Address
Translation).

The vulnerability affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)

8) The passphrase for the Trust keystore is stored in clear text in
the "nodemanager.config" file. This can be exploited to disclose the
server's private keys.

Successful exploitation requires file access to the
"nodemanager.config" file.

The security issue affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)

9) An error where Principals from a derived Principal class is not
properly validated in certain situations, may be exploited to gain
escalated privileges.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all
platforms)

10) An error where the servlet root URL pattern is not properly
protecting servlets, may be exploited by malicious people to access
certain servlet resources.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all
platforms)

11) An error in the restriction of an unspecified internal servlet in
the Administration server can be exploited to access files on the
local files system.

Successful exploitation requires the Admin security role.

The vulnerability affects the following version:
WebLogic Server / Express 8.1 through Service Pack 3 (all platforms)

12) An error in the importing of security policies from other
operating systems can cause servlets being unprotected (e.g. from
UNIX to Windows).

The security issue affects the following versions:
* WebLogic Server / Express 8.1 (all platforms)
* WebLogic Server / Express 7.0 (all platforms)

13) The passphrase for the private key used to configure SSL is
displayed in clear text on the terminal and stored in clear text in
the server log file when creating a WebLogic server domain via the
configuration wizard.

The security issue affects the following version:
* WebLogic Server 8.1 through Service Pack 3 (all platforms)

14) The problem is that certain servlet resources may not be properly
protected from malicious people after an error occurs during
deployment when the fullyDelegateAuthorization mode is enabled.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 3 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all
platforms)

15) The problem is that system properties which may contain sensitive
information (e.g. passwords) are logged to the server log file.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

16) The problem is that the password used to boot the server is
stored in clear text in the Windows registry.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

17) The problem is that a password is included in a subject when
using the IIOP (Internet Inter-ORB Protocol) protocol and may be
exposed in an exception to a remote client or in the server log.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

18) WebLogic Server / Express has a user lockout mechanism designed
to protect against brute-force attacks. The problem is that the
feature can be exploited by malicious people to lockout the
administrator via multiple incorrect login requests.

Successful exploitation requires knowledge of the administrator's
username.

19) The problem is that a Deployer can use the weblogic.Deployer
command using the insecure t3 protocol in communication with the
Administration server.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)

20) The problem is that Multicast messages are sent in clear text in
clusters.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 5 (all
platforms)

21) An error in the handling of incorrect log records may cause MBean
configuration changes not to be saved in the audit log.

The security issue affects the following version:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)

22) An error in the handling of malformed HTTP requests may be
exploited by malicious people to conduct HTTP request smuggling
attacks.

The vulnerability affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)
* WebLogic Server / Express 6.1 through Service Pack 7 (all
platforms)

23) An error in the handling of servlets doing relative forwarding
may cause a vulnerable site to become unusable in certain
situations.

The security issue affects the following versions:
* WebLogic Server / Express 8.1 through Service Pack 4 (all
platforms)
* WebLogic Server / Express 7.0 through Service Pack 6 (all
platforms)

24) An error in the user lockout security mechanism allows malicious
people to perform more login requests than intended.

The security issue affects the following versions:
* WebLogic Server 8.1 through Service Pack 5 (all platforms)
* WebLogic Server 7.0 through Service Pack 6 (all platforms)

SOLUTION:
Patches and updated documentation are available (see the original
vendor advisories).

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

2) The vendor credits:
* ACROS Security
* DV Bern AG
* Application Security Inc
* GomoR

ORIGINAL ADVISORY:
http://dev2dev.bea.com/pub/advisory/138
http://dev2dev.bea.com/pub/advisory/139
http://dev2dev.bea.com/pub/advisory/140
http://dev2dev.bea.com/pub/advisory/141
http://dev2dev.bea.com/pub/advisory/142
http://dev2dev.bea.com/pub/advisory/143
http://dev2dev.bea.com/pub/advisory/144
http://dev2dev.bea.com/pub/advisory/145
http://dev2dev.bea.com/pub/advisory/146
http://dev2dev.bea.com/pub/advisory/147
http://dev2dev.bea.com/pub/advisory/148
http://dev2dev.bea.com/pub/advisory/149
http://dev2dev.bea.com/pub/advisory/150
http://dev2dev.bea.com/pub/advisory/151
http://dev2dev.bea.com/pub/advisory/152
http://dev2dev.bea.com/pub/advisory/153
http://dev2dev.bea.com/pub/advisory/154
http://dev2dev.bea.com/pub/advisory/155
http://dev2dev.bea.com/pub/advisory/156
http://dev2dev.bea.com/pub/advisory/157
http://dev2dev.bea.com/pub/advisory/158
http://dev2dev.bea.com/pub/advisory/159
http://dev2dev.bea.com/pub/advisory/160
http://dev2dev.bea.com/pub/advisory/161

OTHER REFERENCES:
SA15486:
http://secunia.com/advisories/15486/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------