TITLE: BEA WebLogic Group Membership Security Issue SECUNIA ADVISORY ID: SA11356 VERIFY ADVISORY: http://secunia.com/advisories/11356/ CRITICAL: Not critical IMPACT: Privilege escalation WHERE: Local system SOFTWARE: BEA WebLogic Server 8.x BEA WebLogic Server 7.x BEA WebLogic Express 8.x BEA WebLogic Express 7.x DESCRIPTION: A security issue has been discovered in WebLogic Server and WebLogic Express, which may lead to inappropriate privileges being granted. The problem arises if a parent group is deleted because child groups remains a member, after the parent group is deleted. If a parent group is re-created and granted higher privileges, those privileges are inherited by any group, which was a member of the group before being deleted. SOLUTION: Updates are available. WebLogic Server and WebLogic Express version 8.1 Service Pack 2: ftp://ftpna.beasys.com/pub/releases/security/wlSecurityProviders81.jar (follow the guidelines in the original advisory) WebLogic Server and WebLogic Express version 7.0: Apply Service Pack 5. PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_52.00.jsp ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------