The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Bea WebLogic: several vulnérabilités

Synthesis of the vulnerability

BEA Systems wrote 11 announces related to Bea WebLogic Server.
Severity of this computer vulnerability: 2/4.
Number of vulnerabilities in this bulletin: 13.
Creation date: 16/05/2006.
Références of this announce: BEA06-121.00, BEA06-124.00, BEA06-125.00, BEA06-126.00, BEA06-127.00, BEA06-128.00, BEA06-129.00, BEA06-130.00, BEA06-131.00, BEA06-132.00, BEA06-133.00, BID-17982, CVE-2006-2461, CVE-2006-2462, CVE-2006-2463, CVE-2006-2464, CVE-2006-2465, CVE-2006-2466, CVE-2006-2467, CVE-2006-2468, CVE-2006-2469, CVE-2006-2470, CVE-2006-2471, CVE-2006-2472, CVE-2006-2546, VIGILANCE-VUL-5842.

Description of the vulnerability

BEA Systems wrote 11 new announces related to Bea WebLogic :

BEA06-121.00 : le script stopWebLogic.sh affiche le mot de passe sous Unix
BEA06-124.00 : les applications installées sur le serveur peuvent obtenir les clés privées
BEA06-125.00 : les adresses IP internes sont visibles
BEA06-126.00 : les politiques de sécurité des ressources JDBC peuvent être désactivées
BEA06-127.00 : lors d'une erreur, le serveur HTTP journalise le login et le mot de passe
BEA06-128.00 : un attaquant peut obtenir le nom du domaine via le formulaire d'authentification
BEA06-129.00 : la console affiche l'adresse IP du serveur WebLogic
BEA06-130.00 : un attaquant peut obtenir le code source JSP
BEA06-131.00 : le mot de passe admin est stocké en clair sur le disque lors de son changement d'après la méthode décrite dans la documentation antérieure au 10 octobre 2005
BEA06-132.00 : certaines transactions ne sont pas protégées par SSL
BEA06-133.00 : les transactions JTA ne sont pas protégées par SSL
Full Vigil@nce bulletin... (Free trial)

This computer vulnerability announce impacts software or systems such as WebLogic.

Our Vigil@nce team determined that the severity of this cybersecurity bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 13 vulnerabilities.

An attacker with a expert ability can exploit this threat alert.

Solutions for this threat

WebLogic : solution BEA06-121.00.
WebLogic Platform 8.1
  The SP3 is corrected.
  A workdaround is to edit stopWebLogic.sh for each domain in order to add at the begining of file:
      DOMAIN_HOME="/the full path to your domain/"
      . ${DOMAIN_HOME}/setDomainEnv.sh
WebLogic Platform 7.0
  The SP6 is corrected.
  A workdaround is to repalce stopWebLogic.sh for each domain by the one of:
      ftp://ftpna.bea.com/pub/releases/security/CR130515.zip

WebLogic : solution BEA06-124.00.
WebLogic Server 9.1
  Use Smart Update to install patch CR265510.
WebLogic Server 9.0
  - install patch 9.0 GA Combo (http://support.bea.com/, Bug ID CR239280)
  - install patch ftp://ftpna.bea.com/pub/releases/security/CR265510_90.jar
  - place jar from patch at end of PATCH_CLASSPATH
WebLogic Server and WebLogic Express version 8.1
  - install SP5
  - install patch ftp://ftpna.beasys.com/pub/releases/security/CR265510_810sp5.jar
  - place jar from patch in CLASSPATH before weblogic.jar
  The SP6 will be corrected.
WebLogic Server and WebLogic Express version 7.0
  The SP7 is corrected.
WebLogic Server and WebLogic Express version 6.1
  - install SP7
  - install patch ftp://ftpna.beasys.com/pub/releases/security/CR265510_610sp7.jar
  - place jar from patch in CLASSPATH before weblogic.jar

WebLogic : solution BEA06-125.00.
WebLogic Server and WebLogic Express version 8.1
  The SP5 is corrected.
WebLogic Server and WebLogic Express version 7.0
  The SP7 is corrected.
WebLogic Server and WebLogic Express version 6.1
  - install SP7
  - install patch ftp://ftpna.beasys.com/pub/releases/security/CR265136_610sp7.jar
  - place jar from patch in CLASSPATH before weblogic.jar

WebLogic : solution BEA06-126.00.
WebLogic Server 9.0
  - install patch 9.0 GA Combo (http://support.bea.com/, Bug ID CR239280)
  - install patch ftp://ftpna.bea.com/pub/releases/security/CR256930_900.zip

WebLogic : solution BEA06-127.00.
WebLogic Server 9.0
  - install patch 9.0 GA Combo (http://support.bea.com/, Bug ID CR239280)
  - install patch ftp://ftpna.bea.com/pub/releases/security/CR247655_900.jar
  - place jar from patch at end of PATCH_CLASSPATH
WebLogic Server and WebLogic Express version 8.1
  - install SP5
  - install patch ftp://ftpna.beasys.com/pub/releases/security/CR247655_810sp5.jar
  - place jar from patch in CLASSPATH before weblogic.jar
  The SP6 will be corrected.
WebLogic Server and WebLogic Express version 7.0
  The SP7 is corrected.
WebLogic Server and WebLogic Express version 6.1
  - install SP7
  - install patch ftp://ftpna.beasys.com/pub/releases/security/CR247655_610sp7.jar
  - place jar from patch in CLASSPATH before weblogic.jar

WebLogic : solution BEA06-128.00.
WebLogic Server and WebLogic Express version 8.1
  The SP5 is corrected.
WebLogic Server and WebLogic Express version 7.0
  The SP7 is corrected.

WebLogic : solution BEA06-129.00.
WebLogic Server and WebLogic Express version 8.1
  The SP5 is corrected.
WebLogic Server and WebLogic Express version 7.0
  The SP7 is corrected.
WebLogic Server and WebLogic Express version 6.1
  - install SP7
  - install patch ftp://ftpna.beasys.com/pub/releases/security/CR238260_610sp7.jar
  - place jar from patch in CLASSPATH before weblogic.jar

WebLogic : solution BEA06-130.00.
WebLogic Server and WebLogic Express version 8.1
  The SP5 is corrected.
WebLogic Server and WebLogic Express version 7.0
  The SP7 is corrected.

WebLogic : solution BEA06-131.00.
Administrator has to change his password through console.

WebLogic : solution BEA06-132.00.
WebLogic Server and WebLogic Express version 8.1
  The SP4 is corrected.

WebLogic : solution BEA06-133.00.
WebLogic Server and WebLogic Express version 8.1
  The SP5 is corrected.
WebLogic Server and WebLogic Express version 7.0
  The SP7 is corrected.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an applications vulnerabilities announce. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.