CIA RESEARCH

Alerts

[CIA-1032-Alert] BEA Weblogic Server Multiple Vulnerabilities

Summary:

Multiple vulnerabilities were discovered in the BEA Weblogic server that permit denial of service, Cross-Site Scripting, and privilege elevation attacks.

Technical Details:

BEA issued 22 separate advisories relating to the Weblogic Server platform. Among these advisories are various vulnerability types:

• Weak SSL encryption is used under certain circumstances.
• Denial of service via causing server threads to hang.
• Privilege elevation attacks.
• Cross-Site Scripting
• Buffer Overflows
• Unauthorized file access and information disclosure
• Unauthorized accesss to servlets.
• Disclosure of system or user passwords

Consult in the individual advisories to determine if your platform in affected. BEA Weblogic server versions 6.1 SP7, 7.0 SP6, 8.1 SP4, 9.0, and others, are known to be affected by one or more of the advisories.

Solution:

Affected sites should apply the appropriate BEA patches for their server.
http://dev2dev.bea.com/pub/advisory/161
http://dev2dev.bea.com/pub/advisory/160
http://dev2dev.bea.com/pub/advisory/159
http://dev2dev.bea.com/pub/advisory/158
http://dev2dev.bea.com/pub/advisory/157
http://dev2dev.bea.com/pub/advisory/156
http://dev2dev.bea.com/pub/advisory/155
http://dev2dev.bea.com/pub/advisory/154
http://dev2dev.bea.com/pub/advisory/153
http://dev2dev.bea.com/pub/advisory/152
http://dev2dev.bea.com/pub/advisory/151
http://dev2dev.bea.com/pub/advisory/150
http://dev2dev.bea.com/pub/advisory/149
http://dev2dev.bea.com/pub/advisory/148
http://dev2dev.bea.com/pub/advisory/147
http://dev2dev.bea.com/pub/advisory/146
http://dev2dev.bea.com/pub/advisory/145
http://dev2dev.bea.com/pub/advisory/144
http://dev2dev.bea.com/pub/advisory/143
http://dev2dev.bea.com/pub/advisory/142
http://dev2dev.bea.com/pub/advisory/141
http://dev2dev.bea.com/pub/advisory/140

CVE Reference:

GENERIC-MAP-NOMATCH

SecurityTracker Number(s):

1015029

Vendor URL:

dev2dev.bea.com/advisoriesnotifications/

About the Cenzic CIA Team:

Cenzic Intelligent Analysis (CIA) is Cenzic?s research arm that focuses on continuous research for application vulnerabilities. Industry Research, Vulnerability assessment, penetration testing, and security testing ? that?s what Cenzic Intelligent Analysis Research is all about. Cenzic has dedicated experts whose sole job is to perform ongoing research to find not only common vulnerabilities but also vulnerabilities found in customer applications and make them available to our customers and to the community at large.

About Cenzic:

Cenzic provides Hailstorm? the revolutionary enterprise software suite for automated application security assessment and compliance that allows corporations and government organizations to dramatically improve the security of commercial and custom applications. Hailstorm enables security experts, QA professionals, and developers to work together to assess, analyze, and remediate applications for security vulnerabilities, and verify compliance with security policies. Benefits include reduced security risk and liability, lower development and testing costs, and faster time-to-market. Cenzic?s customers are currently in the financial services and e-marketplaces sectors. For more information visit www.cenzic.com or call 1-866-4-CENZIC