• info
• discussion
• exploit
• solution
• references

Multiple BEA WebLogic Server/Express Denial of Service and Information Disclosure Vulnerabilities

Solution:
The vendor has released fixes that address these issues.

For the proxy plug-in vulnerability described in advisory BEA03_39.00, BEA has released CR121341.zip for Unix-based systems and CR121341_win.zip for Windows systems.

For the T3S unexpected non-encrypted session vulnerability described in advisory BEA03_40.00, BEA has released CR107363_810sp1.jar and CR107363_700sp4.jar.

Regarding the plaintext foreign provider password issue described in advisory BEA03_41.00, BEA has released CR124344_81sp1.jar.

To address the denial of service condition in the WebLogic Node Manager described in BEA03_42.00, BEA has released CR125829_810sp1.jar, CR125829_700sp4.jar and CR125829_610sp5.jar.

Finally, for the configuration exposure issue described in BEA03_42.00, BEA has released information on how to modify configurations to disallow the unwanted access as well as limit what information may be exposed in such an attack. Further information can be found in the appropriate advisory.

BEA has released an updated advisory dealing with the anonymous remote user access to sensitive configuration information. This advisory, BEA04-43.01, is to be considered in addition to the previous advisory, BEA04-43.00. Please see the reference section for more details.

These fixes will be bundled into pending service packs for the various releases. Users are advised to apply all fixes for any vulnerable versions they are running.

For explicit information regarding these fixes, please see the appropriate advisories.

Fixes:


BEA Systems WebLogic Express 6.1 SP 3

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 6.1 SP 5

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip


• BEA Systems CR125829_610sp5.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar

BEA Systems Weblogic Server 6.1 SP 4

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 6.1 SP 5

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip


• BEA Systems CR125829_610sp5.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar

BEA Systems Weblogic Server 6.1 SP 3

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 6.1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 6.1 SP 4

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 6.1 SP 2

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 6.1 SP 1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 6.1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 6.1 SP 2

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 6.1 SP 1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 7.0 SP 2

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 7.0 SP 3

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 7.0

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 7.0 SP 2

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 7.0

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 7.0 SP 3

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 7.0 SP 1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 7.0 SP 1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems Weblogic Server 8.1 SP 1

• BEA Systems CR107363_810sp1.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR107363_810sp1.jar


• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip


• BEA Systems CR124344_81sp1.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR124344_81sp1.jar


• BEA Systems CR125829_810sp1.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR125829_810sp1.jar

BEA Systems Weblogic Server 8.1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip

BEA Systems WebLogic Express 8.1 SP 1

• BEA Systems CR107363_810sp1.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR107363_810sp1.jar


• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip


• BEA Systems CR124344_81sp1.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR124344_81sp1.jar


• BEA Systems CR125829_810sp1.jar
  ftp://ftpna.beasys.com/pub/releases/security/CR125829_810sp1.jar

BEA Systems WebLogic Express 8.1

• BEA Systems CR121341.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip


• BEA Systems CR121341_win.zip
  ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip