---------------------------------------------------------------------- Secunia is proud to announce the availability of the Secunia Software Inspector. The Secunia Software Inspector is a free service that detects insecure versions of software that you may have installed in your system. When insecure versions are detected, the Secunia Software Inspector also provides thorough guidelines for updating the software to the latest secure version from the vendor. Try it out online: http://secunia.com/software_inspector/ ---------------------------------------------------------------------- TITLE: BEA WebLogic Multiple Vulnerabilities and Security Issues SECUNIA ADVISORY ID: SA23750 VERIFY ADVISORY: http://secunia.com/advisories/23750/ CRITICAL: Moderately critical IMPACT: Security Bypass, Spoofing, Exposure of sensitive information, DoS, System access WHERE: >From remote SOFTWARE: BEA WebLogic Server 9.x http://secunia.com/product/5822/ BEA WebLogic Server 8.x http://secunia.com/product/1360/ BEA WebLogic Server 7.x http://secunia.com/product/754/ BEA WebLogic Server 6.x http://secunia.com/product/753/ BEA WebLogic Portal 9.x http://secunia.com/product/13273/ BEA WebLogic Express 9.x http://secunia.com/product/5823/ BEA WebLogic Express 8.x http://secunia.com/product/1843/ BEA WebLogic Express 7.x http://secunia.com/product/1282/ BEA WebLogic Express 6.x http://secunia.com/product/1281/ BEA JRockit 1.x http://secunia.com/product/13274/ DESCRIPTION: Multiple vulnerabilities and security issues have been reported in BEA Weblogic, which can be exploited by malicious people or malicious users to gain knowledge of sensitive information, bypass certain security restrictions, conduct spoofing attacks, cause a DoS (Denial Of Service), or potentially compromise a vulnerable system. 1) An error in the SSL library can be exploited to determine the plaintext block. The vulnerability affects the following versions: * WebLogic Server 8.1 released through Service Pack 5, on all platforms * WebLogic Server 7.0 released through Service Pack 7, on all platforms * WebLogic Server 6.1 released through Service Pack 7, on all platforms 2) The server does not properly validate client certificates when reusing connections from the cache. This can be exploited to gain access to the web server via a X.509 certificate. Successful exploitation requires that the application allows access to multiple users via a single client process. The vulnerability affects the following versions: * WebLogic Server 8.1 released through Service Pack 4, on all platforms 3) Passwords stored in the JDBCDataSourceFactory MBean Properties attribute is not encrypted. This can be exploited by malicious users to view the passwords. The security issue affects the following versions: * WebLogic Server 9.0 initial release * WebLogic Server 8.1, released through Service Pack 4 * WebLogic Server 7.0, released through Service Pack 6 4) An error in thread management can be exploited to cause the server to hang via a series of specially crafted requests. The vulnerability affects the following versions: * WebLogic Server 9.1, on all platforms * WebLogic Server 9.0, on all platforms * WebLogic Server 8.1 through Service Pack 5, on all platforms * WebLogic Server 7.0 through Service Pack 6, on all platforms 5) An error in WebLogic clients using WS-Security can be exploited via man-in-the-middle attacks. The security issue affects the following versions: * WebLogic Server 9.2 with no maintenance packs, on all platforms * WebLogic Server 9.1 on all platforms * WebLogic Server 9.0 on all platforms * WebLogic Server 8.1 released through Service Pack 5, on all platforms 6) Deployed .ear or exploded .ear files that use the manifest class-path property to point to utility jar files can be exploited by a malicious person to view files inside the class-path property. The vulnerability affects the following versions: * WebLogic Server 8.1 released through Service Pack 5, on all platforms * WebLogic Server 7.0 released through Service Pack 7, on all platforms * WebLogic Server 6.1 released through Service Pack 7, on all platforms 7) The server does not properly protect sensitive values when an administrator edits the config.xml file offline using clear text values. During a restart, WebLogic Server saves a backup of the file including the clear text values. The security issue affects the following versions: * WebLogic Server 8.1 released through Service Pack 5, on all platforms 8) An error in the handling of threads when processing error pages defined in web.xml can be exploited to cause the server to become unresponsive. The vulnerability affects the following versions: * WebLogic Server 9.0 on all platforms * WebLogic Server 8.1 released through Service Pack 5, on all platforms * WebLogic Server 7.0 released through Service Pack 6, on all platforms * WebLogic Server 6.1 released through Service Pack 7, on all platforms 9) An error in enforcing access controls when an application is dynamically updated and redeployed can be exploited to gain unauthorized access to certain resources. The security issue affects the following versions: * WebLogic Server 8.1 released through Service Pack 5, on all platforms 10) An error in the way WSSE runtime enforces decryption certificates can be exploited to bypass certain security restrictions. The vulnerability affects the following versions: * WebLogic Server 9.1 on all platforms * WebLogic Server 9.0 on all platforms 11) Some EJB calls can be executed with administrative privileges and can be exploited via malicious EJBs installed in the server. Successful exploitation requires that the WebLogic Server 6.1 compatibility realm is used. The security issue affects the following versions: * WebLogic Server 9.1 on all platforms * WebLogic Server 9.0 on all platforms * WebLogic Server 8.1 released through Service Pack 5, on all platforms * WebLogic Server 7.0 released through Service Pack 7, on all platforms 12) Certain security policies added via the console by the administrator does not properly protect EJB resources. This may be exploited by malicious people to access certain restricted resources. The security issue affects the following versions: * WebLogic Server 9.1 on all platforms * WebLogic Server 9.0 on all platforms * WebLogic Server 8.1 released through Service Pack 5, on all platforms * WebLogic Server 7.0 released through Service Pack 6, on all platforms 13) An error in the WebLogic Server proxy plug-in for Apache server can be exploited to cause the server to become unresponsive via a specially crafted request. The vulnerability is reported in Apache plug-ins dated prior to June 2006. 14) An error in the handling of specially crafted HTTP requests can be exploited to disclose information from previous HTTP requests. The vulnerability is reported in the following versions: * WebLogic Server 9.2 with no maintenance packs, on all platforms * WebLogic Server 9.1 on all platforms * WebLogic Server 9.0 on all platforms 15) An error in the handling of requests containing specially crafted headers can be exploied to to consume a large amount of disk space in the server log. The vulnerability is reported in the following versions: * WebLogic Server 7.0 released through Service Pack 7, on all platforms * WebLogic Server 6.1 released through Service Pack 7, on all platforms 16) An error in the handling of certain socket connections can be exploited to cause the server to become unresponsive to other requests. The vulnerability is reported in the following versions: * WebLogic Server 9.2 with no maintenance packs, on Solaris 9 * WebLogic Server 9.1 on Solaris 9 * WebLogic Server 9.0 on Solaris 9 17) Deleting entitlements for a specific role also affect other role entitlements. This can be exploited by malicious users to gain unauthorized access to certain resources. The security issue is reported in the following versions: *WebLogic Portal 9.2 on all platforms. 18) An error in the WebLogic Server proxy plug-in for Netscape Enterprise Server can be exploited to cause the server to stop responding to other requests or to consume a large amount of CPU resource. The vulnerability is reported in plug-ins dated prior to September, 2006. 19) An error in BEA JRockit can be exploited to cause a bufer overflow via a specially crafted packet. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in the following versions: * WebLogic Platform 8.1 released through Service Pack 5 on Linux and Windows. * WebLogic Server 8.1 released through Service Pack 5 on Linux and Windows. * BEA JRockit 1.4.2 R4.5 and previous versions on Linux and Windows. 20) Policy changes are not properly migrated to other servers if the Administrative Server is down when making the changes. Malicious users may be able to gain unauthorized access to certain resources. The security issue is reported in the following versions: * WebLogic Portal 9.2 on all platforms. SOLUTION: Apply patches (see vendor advisories for details). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: 1) http://dev2dev.bea.com/pub/advisory/201 2) http://dev2dev.bea.com/pub/advisory/202 3) http://dev2dev.bea.com/pub/advisory/203 4) http://dev2dev.bea.com/pub/advisory/204 5) http://dev2dev.bea.com/pub/advisory/205 6) http://dev2dev.bea.com/pub/advisory/206 7) http://dev2dev.bea.com/pub/advisory/207 8) http://dev2dev.bea.com/pub/advisory/208 9) http://dev2dev.bea.com/pub/advisory/209 10) http://dev2dev.bea.com/pub/advisory/210 11) http://dev2dev.bea.com/pub/advisory/211 12) http://dev2dev.bea.com/pub/advisory/212 13) http://dev2dev.bea.com/pub/advisory/213 14) http://dev2dev.bea.com/pub/advisory/214 15) http://dev2dev.bea.com/pub/advisory/215 16) http://dev2dev.bea.com/pub/advisory/217 17) http://dev2dev.bea.com/pub/advisory/218 18) http://dev2dev.bea.com/pub/advisory/219 19) http://dev2dev.bea.com/pub/advisory/222 20) http://dev2dev.bea.com/pub/advisory/223 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------