BEA WebLogic Server unauthorized cross domain management

weblogic-cross-domain-management (24286) The risk level is classified as LowLow Risk

Description:

BEA WebLogic Server and Express version could allow domain administrative users to gain unauthorized access to other user's domains. Multiple domains that are created from the same instance of WebLogic Server are accessible by any domain administrative user, regardless of whether or not the user has been granted access to the domain. This leads to weaker than expected security standards for affected domains.


Consequences:

Bypass Security

Remedy:

Refer to BEA Systems, Inc. Security Advisory: (BEA06-108.00) for a suggested workaround. See References.

References:

  • BEA Systems, Inc. Security Advisory: (BEA06-108.00): Documentation is available describing securing multiple-domains managed from one instance of the WebLogic Server Administration Console. .
  • BID-16358: BEA WebLogic Multiple Vulnerabilities
  • CVE-2006-0421: By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended.
  • OSVDB ID: 22778: BEA WebLogic Cross Domain Administrator Access
  • SA18581: BEA WebLogic Server/Express Multiple Domains Administrator Access
  • SECTRACK ID: 1015528: BEA WebLogic Multiple Bugs Let Remote Users Deny Service, Obtain Information, and Access Restricted Resources

Platforms Affected:

  • Oracle WebLogic Server 6.1 Express
  • Oracle WebLogic Server 6.1
  • Oracle WebLogic Server 7.0 Express
  • Oracle WebLogic Server 7.0

Reported:

Jan 23, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page