BEA WebLogic connects multiple times allowing access to system

weblogic-multiple-connection-gain-access (15826) The risk level is classified as HighHigh Risk

Description:

BEA WebLogic Server and Express could allow a remote attacker to gain access to the system. The Web Services client code does not correctly associate a user's identity. A remote attacker can attempt to connect multiple times using different client certificates to cause an incorrect user identity to be associated with the attacker, allowing the attacker to gain access to the system. An attacker could exploit this vulnerability to execute arbitrary code on the system.


Consequences:

Gain Access

Remedy:

For WebLogic Server and Express 7.0:
Upgrade to Service Pack 5, when it becomes available, or upgrade to Service Pack 4 and apply the patch for this vulnerability, as listed in BEA Systems Inc. SECURITY ADVISORY (BEA04-47.00). See References.

References:

  • BEA Systems, Inc. Security Advisory (BEA04-47.00): Patch and upgrade available to prevent SSL Certificate re-use .
  • BID-9502: BEA WebLogic Server and Express SSL Client Privilege Escalation Vulnerability
  • CVE-2004-1755: The Web Services fat client for BEA WebLogic Server and Express 7.0 SP4 and earlier, when using 2-way SSL and multiple certificates to connect to the same URL, may use the incorrect identity after the first connection, which could allow users to gain privileges.
  • SA10725: BEA WebLogic May Provide Access to Wrong Identity
  • US-CERT VU#858990: BEA WebLogic Server fails to properly associate the user identity on subsequent client connections

Platforms Affected:

  • HP HP-UX 11.00
  • HP HP-UX 11i
  • IBM AIX 4.3.3
  • Microsoft Windows 2000 Professional
  • Oracle WebLogic Server 7.0 Express
  • Oracle WebLogic Server 7.0 SP3 Express
  • Oracle WebLogic Server 7.0 SP1 Express
  • Oracle WebLogic Server 7.0 Win32
  • Oracle WebLogic Server 7.0 SP2 Express
  • Oracle WebLogic Server 7.0 SP4
  • Oracle WebLogic Server 7.0 SP4 Express
  • Oracle WebLogic Server 7.0
  • Oracle WebLogic Server 7.0 SP1
  • Oracle WebLogic Server 7.0 SP2
  • Oracle WebLogic Server 7.0 SP3
  • Oracle WebLogic Server 7.0 SP4 Win32
  • Oracle WebLogic Server 7.0 SP3 Win32
  • Oracle WebLogic Server 7.0 SP1 Win32
  • RedHat Linux Intel Premium
  • Sun Solaris 2.6
  • Sun Solaris 2.7
  • Sun Solaris 8

Reported:

Jan 27, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page