BEA Weblogic Server and WebLogic Express configToScript information disclosure
| weblogic-configtoscr-information-disclosure (34288) |  Low Risk |
Description:
The BEA Weblogic Server and WebLogic Express could allow an authenticated local attacker with read access to obtain sensitive information. The configToScript command creates WLST scripts containing the plaintext node manager password. An attacker could exploit this vulnerability to obtain sensitive information.
Platforms Affected:
- BEA, WebLogic Server 9.0
- BEA, WebLogic Server 9.0 Express
- BEA, WebLogic Server 9.1
- BEA, WebLogic Server 9.1 Express
Remedy:
Refer to BEA07-163.00 for patch and upgrade information. See References.
Consequences:
Obtain Information
References:
- BEA07-163.00, The WLST script generated by configToScript may not encrypt sensitive attributes when creating a new domain. at https://support.bea.com/application_content/product_portlets/securityadvisories/233.html.
- BID-23979: Multiple BEA WebLogic Applications Multiple Vulnerabilities
- CVE-2007-2700: The WLST script generated by the configToScript command in BEA WebLogic Express and WebLogic Server 9.0 and 9.1 does not encrypt certain attributes in configuration files when creating a new domain, which allows remote authenticated users to obtain sensitive information.
- SA25284: BEA Products Multiple Vulnerabilities
- SECTRACK ID: 1018057: BEA WebLogic Server Multiple Bugs Let Remote Users Deny Service, Gain Elevated Privileges
- VUPEN/ADV-2007-1815: BEA Products Multiple Security Bypass and Information Disclosure Vulnerabilities
Reported:
May 15, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net