The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of WebLogic: several vulnerabilities

Synthesis of the vulnerability 

An attacker can exploit several vulnerabilities of WebLogic Server and Express.
Impacted products: WebLogic.
Severity of this bulletin: 3/4.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/01/2007.
Références of this threat: BEA07-107.02, BEA07-125.01, BEA07-134.00, BEA07-135.00, BEA07-136.00, BEA07-137.00, BEA07-138.00, BEA07-139.00, BEA07-140.00, BEA07-141.00, BEA07-142.00, BEA07-143.00, BEA07-144.00, BEA07-145.00, BEA07-146.00, BEA07-147.00, BEA07-148.00, BEA07-149.00, BEA07-150.00, BEA07-152.00, BEA07-155.00, BEA07-60.01, BEA07-75.01, BID-22077, BID-22082, CERTA-2007-AVI-044, CVE-2007-0408, CVE-2007-0409, CVE-2007-0410, CVE-2007-0411, CVE-2007-0412, CVE-2007-0413, CVE-2007-0414, CVE-2007-0415, CVE-2007-0416, CVE-2007-0417, CVE-2007-0418, CVE-2007-0419, CVE-2007-0420, CVE-2007-0421, CVE-2007-0422, CVE-2007-0424, CVE-2007-0425, CVE-2007-4613, CVE-2007-4614, VIGILANCE-VUL-6477.

Description of the vulnerability 

An attacker can exploit several vulnerabilities of WebLogic Server and Express.

An attacker with Admin or Operator role, but with a restricted access, can start or stop service. [severity:3/4; BEA07-60.01]

An attacker with Monitor role can configure JDBC connection pools. [severity:3/4; BEA07-75.01]

An attacker can conduct a brute force attack without locking the account. [severity:3/4; BEA07-107.02]

Several services expose private information. [severity:3/4; BEA07-125.01]

An attacker can obtain fragments of data encapsulated in SSL. [severity:3/4; BEA07-134.00, CVE-2007-4613]

In some cases, server does not correctly validate the X.509 client certificate. [severity:3/4; BEA07-135.00, CERTA-2007-AVI-044, CVE-2007-0408]

Password of JDBCDataSourceFactory MBean is not encrypted. [severity:3/4; BEA07-136.00, CVE-2007-0409]

Some sequences lead to a thread hanging, and thus to a service hang. [severity:3/4; BEA07-137.00, CVE-2007-0410]

An attacker can create a Man-In-The-Middle attack when WS-Security is used. [severity:3/4; BEA07-138.00, CVE-2007-0411]

An attacker can access application files via an .ear. [severity:3/4; BEA07-139.00, CVE-2007-0412]

When administrator edits config.xml to store sensitive data, they are not secured on service start. [severity:3/4; BEA07-140.00, CVE-2007-0413]

In some cases, an error in error pages management leads to a denial of service. [severity:3/4; BEA07-141.00, CVE-2007-0414]

A dynamic update of an application deployed as exploded jars leads to incorrect access permissions. [severity:3/4; BEA07-142.00, CVE-2007-0415]

The WSSE runtime incorrectly manages decryption of messages. [severity:3/4; BEA07-143.00, CVE-2007-0416]

In version 6.1 compatibility mode, some EJB are executed with administrative privileges. [severity:3/4; BEA07-144.00, CVE-2007-0417]

An attacker can send special parameters to an EJB in order to elevate his privileges. [severity:3/4; BEA07-145.00, CVE-2007-0418]

In some cases, the proxy plug-in for Apache can generate a denial of service. [severity:3/4; BEA07-146.00, CVE-2007-0419]

A malformed HTTP query may permit to access to data of previous queries. [severity:3/4; BEA07-147.00, CVE-2007-0420]

An attacker can use specific headers in order to alter log files or to fill disk. [severity:3/4; BEA07-148.00, CVE-2007-0421]

Policy changes may not be replicated. [severity:3/4; BEA07-149.00, CVE-2007-4614]

Under Solaris 9, an attacker can manipulate sockets in order to generate a denial of service. [severity:3/4; BEA07-150.00, CVE-2007-0422]

Several vulnerabilities affect the proxy plug-in for Netscape Enterprise Server. [severity:3/4; BEA07-152.00, CVE-2007-0424]

An attacker can execute code via an overflow of JRockit. [severity:3/4; BEA07-155.00, BID-22077, CVE-2007-0425]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat note impacts software or systems such as WebLogic.

Our Vigil@nce team determined that the severity of this cybersecurity note is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 23 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability note.

Solutions for this threat 

WebLogic Server/Express 9.2: patches.
Smart Update [ http://edocs.bea.com/common/docs91/smart_update/quickrefax.html ] can be used to install patches :
 - CR237973
 - CR276583
 - CR283953

WebLogic Server/Express 9.1: patches.
Smart Update [ http://edocs.bea.com/common/docs91/smart_update/quickrefax.html ] can be used to install patches :
 - CR236939
 - CR237973
 - CR265150
 - CR266413
 - CR276583
 - CR282546
 - CR283953

WebLogic Server/Express 9.0: patch.
After installing 9.0 GA Combo patch (Bug ID CR239280), following patches have to be installed:
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR232325_900.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR236939_900rp.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR237973_900.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR248397_900.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR258305_900.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR265150_900.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR266413_900.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR276583_900.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR283953_900rp.jar
BEA's announces indicate the full procedure.

WebLogic Server/Express 8.1: Service Pack 6.
Version 8.1 Service Pack 6 is corrected:
  WebLogic Server:
    http://commerce.bea.com/showallversions.jsp?family=WLS
  WebLogic Platform:
    http://commerce.bea.com/showallversions.jsp?family=WLP

WebLogic Server/Express 7.0: Service Pack 7 plus patches.
After installing Service Pack 7, following patches have to be installed:
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR239231_70sp7.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR265150_700sp7.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR276586_700sp7.jar
And with Phaos stack libraries for SSL:
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR102790_700sp7.zip
BEA's announces indicate the full procedure.

WebLogic Server/Express 6.1: Service Pack 7 plus patches.
After installing Service Pack 7, following patches have to be installed:
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR265136_610sp7_v1.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR239231_61sp7.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR248397_610sp7.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR276586_610sp7.jar
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR102790_61sp7.jar
BEA's announces indicate the full procedure.

WebLogic Server: version Apache plug-in.
Version is corrected:
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/BEA-Apache-plugins_Dec06.zip

WebLogic Server: version Netscape Enterprise Server plug-in.
Version is corrected:
  ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/BEA-NSapi-plugins_Dec06.zip
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities patches. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.