TITLE: BEA WebLogic Multiple Vulnerabilities SECUNIA ADVISORY ID: SA12524 VERIFY ADVISORY: http://secunia.com/advisories/12524/ CRITICAL: Moderately critical IMPACT: Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS WHERE: >From remote SOFTWARE: BEA WebLogic Server 8.x http://secunia.com/product/1360/ BEA WebLogic Server 7.x http://secunia.com/product/754/ BEA WebLogic Server 6.x http://secunia.com/product/753/ BEA WebLogic Express 8.x http://secunia.com/product/1843/ BEA WebLogic Express 7.x http://secunia.com/product/1282/ BEA WebLogic Express 6.x http://secunia.com/product/1281/ DESCRIPTION: Multiple vulnerabilities have been reported in WebLogic, where the most critical can be exploited by malicious people to access sensitive information. 1) Internal server objects bounded into the JNDI tree are insufficiently protected. This can be exploited using a malicious object to access sensitive information or cause a DoS (Denial of Service) by unbinding the server object. Successful exploitation requires access to the JNDI tree. The vulnerability reportedly affects: * WebLogic Server / Express 8.1, released through Service Pack 2, on all platforms * WebLogic Server / Express 7.0, released through Service Pack 5, on all platforms * WebLogic Server / Express 6.1, released through Service Pack 6, on all platforms 2) Insufficient authorization on some weblogic.Admin commands can be exploited to execute these commands without supplying a username and password. Successful exploitation can cause a DoS or potentially be used to access configuration information. The vulnerability reportedly affects: * WebLogic Server / Express 8.1, released through Service Pack 2, on all platforms * WebLogic Server / Express 7.0, released through Service Pack 5, on all platforms 3) A problem exists concerning installations where the OS provides case-sensitive filenames and cross-mounts directories containing web applications from an OS that does not support case-sensitive filenames. This can potentially cause incorrectly evaluated URL patterns in web.xml to not properly protect resources. The vulnerability reportedly affects: * For WebLogic Server / Express 8.1, released through Service Pack 2, on non-Windows platforms * For WebLogic Server / Express 7.0, released through Service Pack 5, on non-Windows platforms * For WebLogic Server / Express 6.1, released through Service Pack 6, on non-Windows platforms 4) A problem caused due to storing clear text passwords embedded in some command-line utilities and administrative tasks. This can e.g. be exploited by any malicious, local user who can read the utility source to get access to the password. The vulnerability reportedly affects: * WebLogic Server / Express 8.1, released through Service Pack 2, on all platforms. * WebLogic Server / Express 7.0, released through Service Pack 4, on all platforms. * WebLogic Server / Express 6.1, released through Service Pack 6, on all platforms. 5) A problem caused due to the password in certain situations being echoed back to the the administrator when booting the server on the Linux operating system via the WebLogic Administrative Console. This may potentially disclose the administrator's password to other people. The vulnerability reportedly affects: * WebLogic Server / Express 8.1, released through Service Pack 2, on Linux * WebLogic Server / Express 7.0, released through Service Pack 5, on Linux * WebLogic Server / Express 6.1, released through Service Pack 6, on Linux 6) A problem caused due to the server version being sent in a HTTP header can be exploited by sending a HTTP request to retrieve the version number of the current running server. Malicious people can use this information to check if a system is vulnerable to a specific issue. The vulnerability reportedly affects: * WebLogic Server / Express 8.1, released through Service Pack 2, on all platforms * WebLogic Server / Express 7.0, released through Service Pack 5, on all platforms * WebLogic Server / Express 6.1, released through Service Pack 6, on all platforms 7) The vulnerability is caused due to an internal error, which can cause an application to be left with incomplete security roles and policies. This will however only happen if the internal error occurs in one of the security providers during deployment. This can be exploited to compromise application security. The vulnerability reportedly affects: * WebLogic Server / Express 8.1, released through Service Pack 2, on all platforms * WebLogic Server / Express 7.0, released through Service Pack 5, on all platforms 8) Insufficient restrictions on disabled users can be exploited to logon even though the user account has been disabled (but not deleted). The vulnerability reportedly affects: * WebLogic Server / Express 8.1, released through Service Pack 2, on all platforms when Active Directory LDAP server is used for authentication * WebLogic Server / Express 7.0, released through Service Pack 5, on all platforms when Active Directory LDAP server is used for authentication 9) Certain sensitive data and configuration information may be sent in clear-text and can e.g. be exploited to access and potentially replace configuration information. Successful exploitation requires that a person can sniff network traffic and that the administrator port is not enabled. The issue reportedly affects the following versions: * WebLogic Server / Express 8.1 on all platforms * WebLogic Server / Express 7.0 on all platforms. SOLUTION: Patches are available (see the original vendor advisories). PROVIDED AND/OR DISCOVERED BY: Reported by vendor. ORIGINAL ADVISORY: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-65.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-66.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-67.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-68.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-69.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-70.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-71.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-72.00.jsp http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04-73.00.jsp ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------