lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000901c2eca8$05066040$390a10ac@spidynamics.com>
Date: Mon, 17 Mar 2003 12:09:50 -0500
From: "Caleb Sima" <csima@...dynamics.com>
To: <bugtraq@...urityfocus.com>
Subject: SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express


Remote Administration of BEA WebLogic Server and Express 

Release Date:
March 18, 2003

Severity:
High

Systems Affected:
•	WebLogic Server and Express 6.0
•	WebLogic Server and Express 6.1
•	WebLogic Server and Express 7.0 


Description:
SPI Labs and S21sec have identified a serious vulnerability that could
allow an attacker to gain unauthorized access to the applications and
systems present on an affected Weblogic server.

Several undocumented applications were found, which are, deployed in
default configurations of Weblogic.  Some of these applications are used
by Weblogic for server-to-server communication during internal
maintenance and administration tasks, such as source code distribution
and modification.

Further analysis revealed that many of these applications were not
adequately protected from unauthorized use.  In some cases, no
authentication was required to perform administrative functions.  The
threat posed by the existence of these unprotected applications is
severe.  If an attacker can directly access a Weblogic server, it is
reasonable to assume that the presence of this vulnerability can
ultimately result in a compromise of the applications residing on the
server.

Because these applications are not intended to be user-configurable or
user identifiable, no configuration workaround exists.  BEA has issued a
patch that corrects this issue.  SPI Labs recommends that it be applied
to all Weblogic installations immediately.

Remediation:
SPI Labs recommends the following actions:
•	For WebLogic Server and Express 6.0
o	Upgrade to Service Pack 2 Rolling Patch 3 and follow the
instructions to apply the included patch:
•	For Weblogic Server and Express 6.1
o	Upgrade to Service Pack 4 and follow the instructions to apply
the included patch:
o	When Service Pack 5 becomes available, you may use that Service
Pack instead of Service Pack 4 and the patch
•	For WebLogic Server and Express 7.0 released or 7.0.0.1
o	Upgrade to Service Pack 2 and follow the instructions to apply
the included patch:
o	When Service Pack 3 becomes available, you may use that Service
Pack instead of Service Pack 2 and the patch

Vendor Information:
BEA has been notified of this issue and has released the patch
information described above at the following link:

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.
jsp



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ