BEA WebLogic foreign Java Messaging Service provider password is stored in plain text

weblogic-foreignjms-plaintext-password (13750) The risk level is classified as MediumMedium Risk

Description:

BEA WebLogic Server and Express could allow an attacker to obtain sensitive information, when a foreign Java Messaging Service (JMS) provider is used. A remote authenticated or local attacker can access the console or open the config.xml file to obtain the password to the JMS provider, which is stored in plain text.

Platforms Affected:

  • BEA, WebLogic Server 8.1 SP1 Express
  • BEA, WebLogic Server 8.1 SP1
  • BEA, WebLogic Server 8.1 Express
  • BEA, WebLogic Server 8.1
  • HP, HP-UX 11.00
  • HP, HP-UX 11i
  • IBM, AIX 4.3.3
  • Microsoft, Windows 2000 Professional
  • RedHat, Linux Intel Premium
  • Sun, Solaris 2.6
  • Sun, Solaris 2.7
  • Sun, Solaris 8

Remedy:

For WebLogic Server and Express 8.1:
Upgrade to Service Pack 2, when it becomes available, or upgrade to Service Pack 1 and apply the patch for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA03-41.00). See References.

Consequences:

Obtain Information

References:

  • BEA Systems, Inc. Security Advisory (BEA03-41.00), Patches available to protect password at http://dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03_41.00.jsp.
  • BID-16358: BEA WebLogic Multiple Vulnerabilities
  • BID-9034: Multiple BEA WebLogic Server/Express Denial of Service and Information Disclosure Vulnerabilities
  • CVE-2003-1222: BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password.

Reported:

Nov 13, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page