TITLE: BEA WebLogic 24 Vulnerabilities and Security Issues SECUNIA ADVISORY ID: SA17138 VERIFY ADVISORY: http://secunia.com/advisories/17138/ CRITICAL: Moderately critical IMPACT: Security Bypass, Cross Site Scripting, Manipulation of data, Brute force, Exposure of system information, Exposure of sensitive information, Privilege escalation, DoS WHERE: >From remote SOFTWARE: BEA WebLogic Server 9.x http://secunia.com/product/5822/ BEA WebLogic Server 8.x http://secunia.com/product/1360/ BEA WebLogic Server 7.x http://secunia.com/product/754/ BEA WebLogic Server 6.x http://secunia.com/product/753/ BEA WebLogic Express 9.x http://secunia.com/product/5823/ BEA WebLogic Express 8.x http://secunia.com/product/1843/ BEA WebLogic Express 7.x http://secunia.com/product/1282/ BEA WebLogic Express 6.x http://secunia.com/product/1281/ DESCRIPTION: 24 vulnerabilities and security issues have been reported in WebLogic Server and WebLogic Express, where the most critical ones potentially can be exploited by malicious users to gain escalated privileges and by malicious people to conduct cross-site scripting and HTTP request smuggling attacks, cause a DoS (Denial of Service), and bypass certain security restrictions. 1) An error in the thread handling of the server can be exploited by malicious clients to hang threads on a vulnerable server. The vulnerability affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 5 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 2) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's or administrator's browser session in context of an affected site. This is related to vulnerability #6 in: SA15486 The vulnerability affects the following versions: * WebLogic Server / Express 9.0 initial release (all platforms) * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 3) The problem is that Java client applications using the SSL protocol without specifying a user, may in certain situations be communicating insecurely with an unencrypted protocol. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 3 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 4) The problem is that if a Java client application creates both insecure and secure (SSL) connections to a server, then an insecure connection will be established instead of the intended secure connection in certain situations. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 5) An error in the deploying of Web applications and EJBs can be exploited by a malicious web application with Deployer privileges to gain Admin privileges via the run-as deployment descriptor element. The vulnerability affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) 6) The problem is that under heavy load some audit events may be posted with incorrect severity levels for sites which has auditing enabled. This may cause some customer filtering software to miss certain audit events. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) 7) The problem is that IP addresses of machines behind a firewall can be disclosed by a malicious person via NAT (Network Address Translation). The vulnerability affects the following version: * WebLogic Server 8.1 through Service Pack 3 (all platforms) 8) The passphrase for the Trust keystore is stored in clear text in the "nodemanager.config" file. This can be exploited to disclose the server's private keys. Successful exploitation requires file access to the "nodemanager.config" file. The security issue affects the following version: * WebLogic Server 8.1 through Service Pack 3 (all platforms) 9) An error where Principals from a derived Principal class is not properly validated in certain situations, may be exploited to gain escalated privileges. The vulnerability affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 5 (all platforms) 10) An error where the servlet root URL pattern is not properly protecting servlets, may be exploited by malicious people to access certain servlet resources. The vulnerability affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 3 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 5 (all platforms) 11) An error in the restriction of an unspecified internal servlet in the Administration server can be exploited to access files on the local files system. Successful exploitation requires the Admin security role. The vulnerability affects the following version: WebLogic Server / Express 8.1 through Service Pack 3 (all platforms) 12) An error in the importing of security policies from other operating systems can cause servlets being unprotected (e.g. from UNIX to Windows). The security issue affects the following versions: * WebLogic Server / Express 8.1 (all platforms) * WebLogic Server / Express 7.0 (all platforms) 13) The passphrase for the private key used to configure SSL is displayed in clear text on the terminal and stored in clear text in the server log file when creating a WebLogic server domain via the configuration wizard. The security issue affects the following version: * WebLogic Server 8.1 through Service Pack 3 (all platforms) 14) The problem is that certain servlet resources may not be properly protected from malicious people after an error occurs during deployment when the fullyDelegateAuthorization mode is enabled. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 3 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 5 (all platforms) 15) The problem is that system properties which may contain sensitive information (e.g. passwords) are logged to the server log file. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 5 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 16) The problem is that the password used to boot the server is stored in clear text in the Windows registry. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 17) The problem is that a password is included in a subject when using the IIOP (Internet Inter-ORB Protocol) protocol and may be exposed in an exception to a remote client or in the server log. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 18) WebLogic Server / Express has a user lockout mechanism designed to protect against brute-force attacks. The problem is that the feature can be exploited by malicious people to lockout the administrator via multiple incorrect login requests. Successful exploitation requires knowledge of the administrator's username. 19) The problem is that a Deployer can use the weblogic.Deployer command using the insecure t3 protocol in communication with the Administration server. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) 20) The problem is that Multicast messages are sent in clear text in clusters. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 5 (all platforms) 21) An error in the handling of incorrect log records may cause MBean configuration changes not to be saved in the audit log. The security issue affects the following version: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) 22) An error in the handling of malformed HTTP requests may be exploited by malicious people to conduct HTTP request smuggling attacks. The vulnerability affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) * WebLogic Server / Express 6.1 through Service Pack 7 (all platforms) 23) An error in the handling of servlets doing relative forwarding may cause a vulnerable site to become unusable in certain situations. The security issue affects the following versions: * WebLogic Server / Express 8.1 through Service Pack 4 (all platforms) * WebLogic Server / Express 7.0 through Service Pack 6 (all platforms) 24) An error in the user lockout security mechanism allows malicious people to perform more login requests than intended. The security issue affects the following versions: * WebLogic Server 8.1 through Service Pack 5 (all platforms) * WebLogic Server 7.0 through Service Pack 6 (all platforms) SOLUTION: Patches and updated documentation are available (see the original vendor advisories). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. 2) The vendor credits: * ACROS Security * DV Bern AG * Application Security Inc * GomoR ORIGINAL ADVISORY: http://dev2dev.bea.com/pub/advisory/138 http://dev2dev.bea.com/pub/advisory/139 http://dev2dev.bea.com/pub/advisory/140 http://dev2dev.bea.com/pub/advisory/141 http://dev2dev.bea.com/pub/advisory/142 http://dev2dev.bea.com/pub/advisory/143 http://dev2dev.bea.com/pub/advisory/144 http://dev2dev.bea.com/pub/advisory/145 http://dev2dev.bea.com/pub/advisory/146 http://dev2dev.bea.com/pub/advisory/147 http://dev2dev.bea.com/pub/advisory/148 http://dev2dev.bea.com/pub/advisory/149 http://dev2dev.bea.com/pub/advisory/150 http://dev2dev.bea.com/pub/advisory/151 http://dev2dev.bea.com/pub/advisory/152 http://dev2dev.bea.com/pub/advisory/153 http://dev2dev.bea.com/pub/advisory/154 http://dev2dev.bea.com/pub/advisory/155 http://dev2dev.bea.com/pub/advisory/156 http://dev2dev.bea.com/pub/advisory/157 http://dev2dev.bea.com/pub/advisory/158 http://dev2dev.bea.com/pub/advisory/159 http://dev2dev.bea.com/pub/advisory/160 http://dev2dev.bea.com/pub/advisory/161 OTHER REFERENCES: SA15486: http://secunia.com/advisories/15486/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------