The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Tuxedo

computer vulnerability note CVE-2014-0114

Apache Struts 1: code execution via ClassLoader

Synthesis of the vulnerability

An attacker can use the "class" parameter, to manipulate the ClassLoader, in order to execute code.
Impacted products: Struts, Debian, BIG-IP Hardware, TMOS, Fedora, SiteScope, IRAD, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, MBS, MES, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Puppet, RHEL, RSA Authentication Manager, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 3/4.
Creation date: 26/05/2014.
Identifiers: 1672316, 1673982, 1674339, 1675822, 2016214, c04399728, c05324755, CERTFR-2014-AVI-382, cpuapr2017, cpujan2018, cpuoct2017, cpuoct2018, CVE-2014-0114, DSA-2940-1, ESA-2014-080, FEDORA-2014-9380, HPSBGN03669, HPSBMU03090, ibm10719287, ibm10719297, ibm10719301, ibm10719303, ibm10719307, MDVSA-2014:095, RHSA-2014:0474-01, RHSA-2014:0497-01, RHSA-2014:0500-01, RHSA-2014:0511-01, RHSA-2018:2669-01, SOL15282, SUSE-SU-2014:0902-1, swg22017525, VIGILANCE-VUL-14799, VMSA-2014-0008, VMSA-2014-0008.1, VMSA-2014-0008.2, VMSA-2014-0012.

Description of the vulnerability

The Apache Struts product is used to develop Java EE applications.

However, the "class" parameter is mapped to getClass(), and can be used to manipulate the ClassLoader. Technical details are unknown.

An attacker can therefore use the "class" parameter, to manipulate the ClassLoader, in order to execute code.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2011-3414 CVE-2011-4461 CVE-2011-4462

Multiple: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: CheckPoint Endpoint Security, CheckPoint Security Gateway, Debian, Fedora, WebSphere AS Traditional, IIS, .NET Framework, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, openSUSE, Oracle AS, Oracle Communications, Oracle DB, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Tuxedo, WebLogic, Oracle Web Tier, RHEL.
Severity: 3/4.
Creation date: 28/12/2011.
Revision date: 22/02/2012.
Identifiers: 1506603, 2638420, 2659883, BID-51186, BID-51194, BID-51195, BID-51196, BID-51197, BID-51199, BID-51235, BID-51441, CERTA-2011-AVI-727, CERTA-2011-AVI-728, cpujul2018, CVE-2011-3414, CVE-2011-4461, CVE-2011-4462, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035, CVE-2011-5036, CVE-2011-5037, CVE-2012-0039, CVE-2012-0193, CVE-2012-0839, DSA-2783-1, DSA-2783-2, FEDORA-2012-0730, FEDORA-2012-0752, MS11-100, n.runs-SA-2011.004, oCERT-2011-003, openSUSE-SU-2012:0262-1, PM53930, RHSA-2012:1604-01, RHSA-2012:1605-01, RHSA-2012:1606-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk66350, VIGILANCE-VUL-11254, VU#903934.

Description of the vulnerability

A hash table stores information, as keys pointing to values. Each key is converted to an integer, which is the index of the area where to store data. For example:
 - keyA is converted to 34
 - keyB is converted to 13
Data are then stored at offsets 34 and 13.

In most cases, these keys generate integers which are uniformly located in the storage area (which runs for example between 0 and 99). However, if an attacker computes his keys in such a way that they are converted to the same integer (for example 34), all data are stored at the same location (at the index 34). The access time to these data is thus very large.

A posted HTTP form is used to send a lot of variables. For example: var1=a, var2=b, etc. Web servers store these variables in a hash table. However, if the attacker computes his keys (variable names) in such a way that they are all stored at the same place, he can overload the server.

Other features, such as a JSON parser or additional services, can also be used as an attack vector.

The following products are also impacted:
 - Apache APR (VIGILANCE-VUL-11380)
 - Apache Xerces-C++ (VIGILANCE-VUL-15082)
 - Apache Xerces Java (VIGILANCE-VUL-15083)
 - expat (VIGILANCE-VUL-11420)
 - Java Lightweight HTTP Server (VIGILANCE-VUL-11381)
 - Java Language (VIGILANCE-VUL-11715)
 - libxml2 (VIGILANCE-VUL-11384)
 - Python (VIGILANCE-VUL-11416)
 - Ruby (VIGILANCE-VUL-11382)
 - Tomcat (VIGILANCE-VUL-11383)

An attacker can therefore send data generating storage collisions, in order to overload a service.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2007-2694 CVE-2007-2695 CVE-2007-2696

WebLogic, Tuxedo: several vulnerabilities

Synthesis of the vulnerability

An attacker can exploit several vulnerabilities of WebLogic Server/Express and Tuxedo.
Impacted products: Tuxedo, WebLogic.
Severity: 3/4.
Creation date: 15/05/2007.
Identifiers: BEA05-80.02, BEA07-158.00, BEA07-159.00, BEA07-160.00, BEA07-161.00, BEA07-162.00, BEA07-163.00, BEA07-164.00, BEA07-164.01, BEA07-165.00, BEA07-168.00, BEA07-169.00, BEA07-80.03, BEA08-159.01, BEA08-80.04, BID-23979, CVE-2007-2694, CVE-2007-2695, CVE-2007-2696, CVE-2007-2697, CVE-2007-2698, CVE-2007-2699, CVE-2007-2700, CVE-2007-2701, CVE-2007-2704, CVE-2007-2705, CVE-2008-0902, VIGILANCE-VUL-6816.

Description of the vulnerability

An attacker can exploit several vulnerabilities of WebLogic Server/Express and Tuxedo.

Several Cross Site Scripting vulnerabilities can be exploited. [severity:3/4; BEA05-80.02, BEA07-80.03, BEA08-80.04, CVE-2007-2694, CVE-2008-0902]

The cnsbind, cnsunbind and cnsls commands of Tuxedo can display sensitive information. [severity:3/4; BEA07-158.00]

Some queries via WebLogic HttpClusterServlet ou HttpProxyServlet, configured with the SecureProxy parameter, can be executed with elevated privileges. [severity:3/4; BEA07-159.00, BEA08-159.01, CVE-2007-2695]

The JMS backend does not perform security access checks. [severity:3/4; BEA07-160.00, CVE-2007-2696]

The LDAP server does not limit the connection trial number. [severity:3/4; BEA07-161.00, CVE-2007-2697]

The administration console can display some sensitive attributes in clear text. [severity:3/4; BEA07-162.00, CVE-2007-2698]

The WLSR script generated from configToScript contains a clear text password. [severity:3/4; BEA07-163.00, CVE-2007-2700]

All Deployers can deploy an application even if Domain Security Policies restricts this. [severity:3/4; BEA07-164.00, BEA07-164.01, CVE-2007-2699]

A WebLogic JMS Bridge can transfer a message to a protected queue. [severity:3/4; BEA07-165.00, CVE-2007-2701]

An attacker can generate a denial of service by connecting to a SSL port in a half-closed state. [severity:3/4; BEA07-168.00, CVE-2007-2704]

RSA signatures are incorrectly verified when exponent is 3 (VIGILANCE-VUL-6140). [severity:3/4; BEA07-169.00, CVE-2007-2705]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2005-1380

BEA Admin console : Cross Site Scripting

Synthesis of the vulnerability

Un attaquant peut créer une url provoquant une attaque de type Cross Site Scripting dans la console d'administration BEA.
Impacted products: Tuxedo, WebLogic.
Severity: 2/4.
Creation date: 27/04/2005.
Identifiers: BID-13400, CVE-2005-1380, V6-BEAADMINCONSOLEXSS, VIGILANCE-VUL-4931.

Description of the vulnerability

La console d'administration BEA écoute généralement sur le port 8001 et permet à l'administrateur de gérer le service.

Le paramètre "server" du script /console/actions/jndi/JndiFramesetAction n'est pas correctement filtré. Un attaquant peut y injecter du code Javascript.

Un attaquant peut donc faire exécuter du code Javascript dans le navigateur d'un administrateur acceptant de cliquer sur un lien illicite.
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Tuxedo: