BEA WebLogic Server and Express bypass server policy

weblogic-server-policy-bypass (16121) The risk level is classified as MediumMedium Risk

Description:

BEA WebLogic Server and Express fails to enforce a policy that restricts a subset of users in the Admin and Operator security roles from starting and stopping a server. An unauthorized remote attacker, with Admin or Operator privileges, could bypass this restriction to stop or start a server.

Platforms Affected:

  • BEA, WebLogic Server 7.0 SP5
  • BEA, WebLogic Server 7.0 SP5 Express
  • BEA, WebLogic Server 8.1 SP2 Express
  • BEA, WebLogic Server 8.1 SP3
  • BEA, WebLogic Server 8.1 Express
  • BEA, WebLogic Server 8.1 SP1
  • BEA, WebLogic Server 8.1
  • BEA, WebLogic Server 8.1 SP1 Express

Remedy:

For WebLogic Server or WebLogic Express 8.1:
Upgrade to the latest Service Pack (SP2 or later) and install the CR173632_81sp2.jar patch, as listed in BEA Systems, Inc. Security Advisory: (BEA04-60.00). See References.

For WebLogic Server or WebLogic Express 7.0:
Upgrade to the latest Service Pack (SP5 or later) and install the CR173632_70sp5.jar patch, as listed in BEA Systems, Inc. Security Advisory: (BEA04-60.00). See References.

Consequences:

Bypass Security

References:

  • BEA Systems, Inc. Security Advisory (BEA04-60.00), Patches are available to protect user authorizations. at http://dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_60.00.jsp.
  • BID-10327: BEA WebLogic Server and WebLogic Express Denial of Service Vulnerability
  • CVE-2004-0471: BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown).
  • OSVDB ID: 6077: BEA WebLogic Unprivileged Stop/Start
  • SA11594: BEA WebLogic Admins and Operators May be Able to Stop the Service
  • SECTRACK ID: 1010129: BEA WebLogic May Let Remote Authenticated Admin/Operator Users Start or Stop Server

Reported:

May 11, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page