|
BEA WebLogic Server and WebLogic Express Multiple Remote Vulnerabilities
BEA WebLogic is susceptible to multiple vulnerabilities. The following specific issues have been identified: - A denial-of-service vulnerability allows users with the 'Monitor security' role to reset JDBC connection pools, or to reduce the number of connections available. - A denial-of-service vulnerability allows attackers to cause the failure of security exception auditing. - An access-validation vulnerability in the security constraint system fails to force the currently logged-in users to reauthenticate to the application server once security constraints have been altered and the application has been redeployed, even if the new constraints preclude the users access. - A local information-disclosure vulnerability as the 'UserLogin' control displays cleartext passwords of failed authentication attempts to standard output. - A denial-of-service vulnerability in the cookie parsing code may cause clustered servers to slow down when cookies with an invalid host or port are processed. - Multiple unspecified cross-site scripting vulnerabilities reside in the server console and login page. These issues allow attackers to execute script code in the context of the affected website, possibly allowing them to gain administrative access to the affected application server. - A vulnerability in the embedded LDAP server allows remote attackers to anonymously bind to it. This allows for information disclosure, and possibly a denial-of-service condition due to resource exhaustion. - An unspecified buffer overflow vulnerability may allow remote attackers to cause the instance to become unstable. This issue may allow remote attackers to cause a thread loop, consuming CPU resources. Due to the nature of buffer-overflow vulnerabilities, an attacker may be able to execute arbitrary machine code in the context of the affected application. This BID will be split into individual BIDs in the future as further details become available. |
|
|
Privacy Statement |
