ISS X-Force Database: weblogic-console-ip-disclosure(26462): BEA WebLogic Server Administration Console IP disclosure

BEA WebLogic Server Administration Console IP disclosure

weblogic-console-ip-disclosure (26462)

Low Risk

Description:

BEA WebLogic Server discloses the internal site IP address when a remote administrative user connects to the server using the Administration Console.

Consequences:

Obtain Information

Remedy:

Refer to BEA Systems Inc. Security Advisory: (BEA06-129.00) for upgrade information. See References.

References:

BEA Systems Inc. Security Advisory: (BEA06-129.00): Console displays the WebLogic Server IP address.
BID-17982: BEA WebLogic Multiple Vulnerabilities
CVE-2006-2467: BEA WebLogic Server 8.1 up to SP4, 7.0 up to SP6, and 6.1 up to SP7 displays the internal IP address of the WebLogic server in the WebLogic Server Administration Console, which allows remote authenticated administrators to determine the address.
SA20130: BEA WebLogic Server/Express Multiple Security Issues
SECTRACK ID: 1016097: WebLogic Server May Incorrectly Remove JDBC Security Policies
SECTRACK ID: 1016099: WebLogic Server Console Displays the Domain Name Prior to Authentication
VUPEN/ADV-2006-1828: BEA WebLogic Multiple Security Bypass and Information Disclosure Vulnerabilities

Platforms Affected:

Oracle WebLogic Server 6.1 SP6
Oracle WebLogic Server 6.1 SP5
Oracle WebLogic Server 6.1 SP4
Oracle WebLogic Server 6.1 SP3
Oracle WebLogic Server 6.1
Oracle WebLogic Server 6.1 SP7
Oracle WebLogic Server 6.1 SP2
Oracle WebLogic Server 6.1 SP1
Oracle WebLogic Server 7.0 SP6
Oracle WebLogic Server 8.1 SP1
Oracle WebLogic Server 8.1
Oracle WebLogic Server 8.1 SP4
Oracle WebLogic Server 8.1 SP2
Oracle WebLogic Server 8.1 SP3

Reported:

May 15, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page