J-Security Center

Title: BEA WebLogic Multiple Vulnerabilities

Severity: HIGH

Description:

WebLogic Server, WebLogic Portal, and WebLogic Express are enterprise-application server products distributed by BEA Systems.

BEA has released 10 advisories identifying various vulnerabilities affecting BEA WebLogic Server, WebLogic Portal, and WebLogic Express. These issues present remote and local threats and may facilitate attacks affecting the integrity, confidentiality, and availability of vulnerable computers.

The following specific issues were disclosed:

BEA06-119.00 - Console applies incorrect JNDI policies.

BEA06-118.00 - Server's SSL identity not properly protected from applications.

BEA06-117.00 - Using a connection filter can cause the server to slow down.

BEA06-116.00 - Non-active security provider appears active.

BEA06-115.00 - A patch is available to enforce access to only specific resources.

BEA06-114.00 - Application code installed on a server may be able to decrypt passwords.

BEA06-113.00 - Changed passwords may show up in audit log.

BEA06-112.00 - An application's deployment descriptor source is visible.

BEA06-111.00 - The server log may be remotely viewable.

BEA06-110.00 - Cleartext database password in the config.xml file. (Bulletin re-released and updated as BEA08-110.01)

BEA06-109.00 - Multiple MBean vulnerabilities.

BEA06-108.00 - Documentation is available describing securing multiple-domains managed from one instance of the WebLogic Server Administration Console.

Affected Products:

  • BEA Systems WebLogic Express 6.1.0
  • BEA Systems WebLogic Express 6.1.0 SP 1
  • BEA Systems WebLogic Express 6.1.0 SP 2
  • BEA Systems WebLogic Express 6.1.0 SP 3
  • BEA Systems WebLogic Express 6.1.0 SP 4
  • BEA Systems WebLogic Express 6.1.0 SP 5
  • BEA Systems WebLogic Express 6.1.0 SP 7
  • BEA Systems WebLogic Express 6.1.0 SP 8
  • BEA Systems WebLogic Express 6.1.0 SP6
  • BEA Systems WebLogic Express 7.0.0
  • BEA Systems WebLogic Express 7.0.0 .0.1
  • BEA Systems WebLogic Express 7.0.0 .0.1 SP 1
  • BEA Systems WebLogic Express 7.0.0 .0.1 SP 2
  • BEA Systems WebLogic Express 7.0.0 .0.1 SP 3
  • BEA Systems WebLogic Express 7.0.0 .0.1 SP 4
  • BEA Systems WebLogic Express 7.0.0 SP 1
  • BEA Systems WebLogic Express 7.0.0 SP 2
  • BEA Systems WebLogic Express 7.0.0 SP 3
  • BEA Systems WebLogic Express 7.0.0 SP 4
  • BEA Systems WebLogic Express 7.0.0 SP 5
  • BEA Systems WebLogic Express 7.0.0 SP 6
  • BEA Systems WebLogic Express 7.0.0 SP 7
  • BEA Systems WebLogic Portal 8.1.0 SP3
  • BEA Systems WebLogic Portal 8.1.0 SP4
  • BEA Systems WebLogic Server for Win32 6.1.0
  • BEA Systems WebLogic Server for Win32 6.1.0 SP 1
  • BEA Systems WebLogic Server for Win32 6.1.0 SP 2
  • BEA Systems WebLogic Server for Win32 6.1.0 SP 3
  • BEA Systems WebLogic Server for Win32 6.1.0 SP 4
  • BEA Systems WebLogic Server for Win32 6.1.0 SP 5
  • BEA Systems WebLogic Server for Win32 6.1.0 SP 6
  • BEA Systems WebLogic Server for Win32 6.1.0 SP 7
  • BEA Systems WebLogic Server for Win32 7.0.0
  • BEA Systems WebLogic Server for Win32 7.0.0 .0.1
  • BEA Systems WebLogic Server for Win32 7.0.0 .0.1 SP 1
  • BEA Systems WebLogic Server for Win32 7.0.0 .0.1 SP 2
  • BEA Systems WebLogic Server for Win32 7.0.0 SP 1
  • BEA Systems WebLogic Server for Win32 7.0.0 SP 2
  • BEA Systems WebLogic Server for Win32 7.0.0 SP 3
  • BEA Systems WebLogic Server for Win32 7.0.0 SP 4
  • BEA Systems WebLogic Server for Win32 7.0.0 SP 5
  • BEA Systems WebLogic Server for Win32 7.0.0 SP 6
  • BEA Systems WebLogic Server for Win32 8.1.0
  • BEA Systems WebLogic Server for Win32 8.1.0 SP 1
  • BEA Systems WebLogic Server for Win32 8.1.0 SP 2
  • BEA Systems WebLogic Server for Win32 8.1.0 SP 3
  • BEA Systems WebLogic Server for Win32 8.1.0 SP 4
  • BEA Systems WebLogic Server for Win32 8.1.0 SP 5
  • BEA Systems WebLogic Server for Win32 9.0
  • BEA Systems Weblogic Server 6.1.0
  • BEA Systems Weblogic Server 6.1.0 SP 1
  • BEA Systems Weblogic Server 6.1.0 SP 2
  • BEA Systems Weblogic Server 6.1.0 SP 3
  • BEA Systems Weblogic Server 6.1.0 SP 4
  • BEA Systems Weblogic Server 6.1.0 SP 5
  • BEA Systems Weblogic Server 6.1.0 SP 7
  • BEA Systems Weblogic Server 6.1.0 SP6
  • BEA Systems Weblogic Server 7.0.0
  • BEA Systems Weblogic Server 7.0.0 .0.1
  • BEA Systems Weblogic Server 7.0.0 .0.1 SP 1
  • BEA Systems Weblogic Server 7.0.0 .0.1 SP 2
  • BEA Systems Weblogic Server 7.0.0 .0.1 SP 3
  • BEA Systems Weblogic Server 7.0.0 .0.1 SP 4
  • BEA Systems Weblogic Server 7.0.0 SP 1
  • BEA Systems Weblogic Server 7.0.0 SP 2
  • BEA Systems Weblogic Server 7.0.0 SP 3
  • BEA Systems Weblogic Server 7.0.0 SP 4
  • BEA Systems Weblogic Server 7.0.0 SP 5
  • BEA Systems Weblogic Server 7.0.0 SP 6
  • BEA Systems Weblogic Server 8.1.0
  • BEA Systems Weblogic Server 8.1.0 SP 1
  • BEA Systems Weblogic Server 8.1.0 SP 2
  • BEA Systems Weblogic Server 8.1.0 SP 3
  • BEA Systems Weblogic Server 8.1.0 SP 4
  • BEA Systems Weblogic Server 8.1.0 SP 5
  • BEA Systems Weblogic Server 9.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.