BEA WebLogic Server and Express custom trust manager certificate spoofing

weblogic-trust-certificate-spoofing (15862) The risk level is classified as MediumMedium Risk

Description:

BEA WebLogic could allow a remote attacker to spoof a certificate when a custom trust manager is used. A remote attacker could spoof a system administrator's certificate using an inbound two-way Secure Sockets Layer (SSL) request or an outbound SSL request to spoof a remote server.


Consequences:

Bypass Security

Remedy:

For WebLogic Server and Express 8.1:
Upgrade to Service Pack 2, as listed in BEA Security Advisory (BEA04-54.00). See References.

For WebLogic Server and Express 7.0:
Upgrade to Service Pack 5, as listed in BEA Security Advisory (BEA04-54.00). See References.

References:

  • BEA Systems, Inc. Security Advisory (BEA04-54.00): Patches available to prevent user impersonation..
  • CIAC Information Bulletin O-132: BEA WebLogic Server and Express Certificate Spoofing Vulnerability.
  • BID-10132: BEA WebLogic Server and WebLogic Express Certificate Chain User Impersonation Vulnerability
  • CVE-2004-1756: BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers.
  • SA11358: BEA WebLogic SSL Impersonation Vulnerability
  • SECTRACK ID: 1009765: BEA WebLogic Custom Trust Manager Flaw May Let Remote Users Impersonate Target Users or Servers
  • US-CERT VU#566390: BEA WebLogic Server fails to properly validate certificate chains

Platforms Affected:

  • Oracle WebLogic Server 7.0 SP2 Express
  • Oracle WebLogic Server 7.0 SP4
  • Oracle WebLogic Server 7.0 SP4 Express
  • Oracle WebLogic Server 7.0 SP3 Express
  • Oracle WebLogic Server 7.0 SP1 Express
  • Oracle WebLogic Server 7.0 Win32
  • Oracle WebLogic Server 7.0 SP4 Win32
  • Oracle WebLogic Server 7.0 SP3
  • Oracle WebLogic Server 7.0 SP2
  • Oracle WebLogic Server 7.0 SP1
  • Oracle WebLogic Server 7.0 Express
  • Oracle WebLogic Server 8.1 SP1
  • Oracle WebLogic Server 8.1
  • Oracle WebLogic Server 8.1 SP2 Win32
  • Oracle WebLogic Server 8.1 SP2 Express
  • Oracle WebLogic Server 8.1 Express
  • Oracle WebLogic Server 8.1 SP1 Win32
  • Oracle WebLogic Server 8.1 SP1 Express
  • Oracle WebLogic Server 8.1 Win32
  • Oracle WebLogic Server 8.1 SP2

Reported:

Apr 13, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page