Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express

From: "Caleb Sima" <csima () spidynamics com>
Date: Mon, 17 Mar 2003 12:09:50 -0500
Remote Administration of BEA WebLogic Server and Express 

Release Date:
March 18, 2003

Severity:
High

Systems Affected:
•       WebLogic Server and Express 6.0
•       WebLogic Server and Express 6.1
•       WebLogic Server and Express 7.0 


Description:
SPI Labs and S21sec have identified a serious vulnerability that could
allow an attacker to gain unauthorized access to the applications and
systems present on an affected Weblogic server.

Several undocumented applications were found, which are, deployed in
default configurations of Weblogic.  Some of these applications are used
by Weblogic for server-to-server communication during internal
maintenance and administration tasks, such as source code distribution
and modification.

Further analysis revealed that many of these applications were not
adequately protected from unauthorized use.  In some cases, no
authentication was required to perform administrative functions.  The
threat posed by the existence of these unprotected applications is
severe.  If an attacker can directly access a Weblogic server, it is
reasonable to assume that the presence of this vulnerability can
ultimately result in a compromise of the applications residing on the
server.

Because these applications are not intended to be user-configurable or
user identifiable, no configuration workaround exists.  BEA has issued a
patch that corrects this issue.  SPI Labs recommends that it be applied
to all Weblogic installations immediately.

Remediation:
SPI Labs recommends the following actions:
•       For WebLogic Server and Express 6.0
o       Upgrade to Service Pack 2 Rolling Patch 3 and follow the
instructions to apply the included patch:
•       For Weblogic Server and Express 6.1
o       Upgrade to Service Pack 4 and follow the instructions to apply
the included patch:
o       When Service Pack 5 becomes available, you may use that Service
Pack instead of Service Pack 4 and the patch
•       For WebLogic Server and Express 7.0 released or 7.0.0.1
o       Upgrade to Service Pack 2 and follow the instructions to apply
the included patch:
o       When Service Pack 3 becomes available, you may use that Service
Pack instead of Service Pack 2 and the patch

Vendor Information:
BEA has been notified of this issue and has released the patch
information described above at the following link:

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.
jsp
Previous By Date Next
Previous By Thread Next

Current thread: