BEA WebLogic Server and Express allows EJB object deletion
| weblogic-ejb-object-deletion (15928) |  Medium Risk |
Description:
BEA WebLogic Server and Express could allow a remote authenticated attacker to delete arbitrary Enterprise JavaBeans (EJB) objects. By creating an application that calls the remove function of an EJB with a remote view, a remote attacker could cause some services to become unavailable.
Platforms Affected:
- BEA, WebLogic Server 6.1 SP4 Win32
- BEA, WebLogic Server 6.1 SP3 Express
- BEA, WebLogic Server 6.1 SP3 Win32
- BEA, WebLogic Server 6.1 SP2
- BEA, WebLogic Server 6.1 Express
- BEA, WebLogic Server 6.1 SP1
- BEA, WebLogic Server 6.1
- BEA, WebLogic Server 6.1 SP6 Win32
- BEA, WebLogic Server 6.1 Win32
- BEA, WebLogic Server 6.1 SP4 Express
- BEA, WebLogic Server 6.1 SP1 Express
- BEA, WebLogic Server 6.1 SP6
- BEA, WebLogic Server 6.1 SP5 Win32
- BEA, WebLogic Server 6.1 SP5 Express
- BEA, WebLogic Server 6.1 SP5
- BEA, WebLogic Server 6.1 SP1 Win32
- BEA, WebLogic Server 6.1 SP2 Express
- BEA, WebLogic Server 6.1 SP2 Win32
- BEA, WebLogic Server 6.1 SP3
- BEA, WebLogic Server 6.1 SP4
- BEA, WebLogic Server 7.0
- BEA, WebLogic Server 7.0 SP2 Express
- BEA, WebLogic Server 7.0 SP4
- BEA, WebLogic Server 7.0 Express
- BEA, WebLogic Server 7.0 SP4 Express
- BEA, WebLogic Server 7.0 SP3 Express
- BEA, WebLogic Server 7.0 SP1 Express
- BEA, WebLogic Server 7.0 Win32
- BEA, WebLogic Server 7.0 SP1 Win32
- BEA, WebLogic Server 7.0 SP3 Win32
- BEA, WebLogic Server 7.0 SP4 Win32
- BEA, WebLogic Server 7.0 SP3
- BEA, WebLogic Server 7.0 SP1
- BEA, WebLogic Server 7.0 SP2
- BEA, WebLogic Server 8.1 Express
- BEA, WebLogic Server 8.1 SP1 Express
- BEA, WebLogic Server 8.1 Win32
- BEA, WebLogic Server 8.1 SP1 Win32
- BEA, WebLogic Server 8.1 SP1
- BEA, WebLogic Server 8.1 SP2 Express
- BEA, WebLogic Server 8.1 SP2 Win32
- BEA, WebLogic Server 8.1
- BEA, WebLogic Server 8.1 SP2
Remedy:
For WebLogic Server or WebLogic Express 8.1:
Upgrade to the latest Service Pack (SP2 or later) and install the CR134122_810sp2.jar patch, as listed in BEA Systems, Inc. Security Advisory: (BEA04-57.00). See References.
For WebLogic Server or WebLogic Express 7.0:
Upgrade to the latest Service Pack (SP5 or later), as listed in BEA Systems, Inc. Security Advisory: (BEA04-57.00). See References.
For WebLogic Server or WebLogic Express 6.1:
Upgrade to the latest Service Pack (SP6 or later) and install the CR134122_610sp6.jar patch, as listed in BEA Systems, Inc. Security Advisory: (BEA04-57.00). See References.
Consequences:
File Manipulation
References:
- BEA Systems, Inc. Security Advisory (BEA04-57.00), Upgrade and patches are available to prevent EJB objects being deleted without the required permission. at http://dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.jsp.
- BID-10185: BEA WebLogic Server/Express EJB Object Removal Denial Of Service Vulnerability
- CVE-2004-0713: The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown.
- US-CERT VU#658878: BEA WebLogic Server allows unauthorized removal of EJB objects
Reported:
Apr 21, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net