BEA WebLogic Server allows unauthorized removal of EJB objects

2004-04-23T00:00:00
ID VU:658878
Type cert
Reporter CERT
Modified 2004-04-23T18:15:00

Description

Overview

There is a vulnerability in the BEA WebLogic Server that could allow the unauthorized removal of an Enterprise JavaBean (EJB).

Description

BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." The WebLogic server supports the use of Enterprise JavaBean (EJB) applications. EJB is a component architecture used for building distributed, object-oriented business applications.

When designing an EJB application, there are various methods used to provide an interface with the WebLogic Server. There is a vulnerability in the way WebLogic Server handles calls to the remove() method. When an application implements this remove() method, the application can remove a stateful EJB object from a remote view even if that application does not have permission to remove it.

The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:

* WebLogic Server and WebLogic Express version 8.1 through Service Pack 2, on all platforms
* WebLogic Server and WebLogic Express version 7.0 through Service Pack 4, on all platforms
* WebLogic Server and WebLogic Express version 6.1 through Service Pack 6, on all platforms

Impact

Enterprise JavaBean applications implementing the remove() method could allow unauthorized users to remove EJB objects from remote views.


Solution

Upgrade
WebLogic Server and WebLogic Express version 8.1

1. Upgrade to WebLogic Server and WebLogic Express version 8.1 Service Pack 2.
2. Install the patch from: ftp://ftpna.beasys.com/pub/releases/security/CR134122_810sp2.jar

WebLogic Server version 8.1 Service Pack 3 will include the functionality in this patch.

WebLogic Server and WebLogic Express version 7.0

Upgrade to WebLogic Server and WebLogic Express version 7.0 Service Pack 5.

WebLogic Server and WebLogic Express version 6.1

1. Upgrade to WebLogic Server and WebLogic Express version 6.1 Service Pack 6
2. Install the patch from: ftp://ftpna.beasys.com/pub/releases/security/CR134122_610sp6.jar

WebLogic Server version 6.1 Service Pack 7 will include the functionality in this patch.


Vendor Information

658878

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

BEA Systems Inc. __ Affected

Updated: April 23, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to BEA Security Advisory BEA04-57.00.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | |
Temporal | |
Environmental | |

References

  • <http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.jsp>
  • <http://secunia.com/advisories/11436/>
  • <http://www.securitytracker.com/alerts/2004/Apr/1009897.html>
  • <http://www.weblogic.com/docs/techoverview/ejb.html>

Acknowledgements

This vulnerability was reported by BEA Systems Inc.

This document was written by Damon Morda.

Other Information

CVE IDs: | None
---|---
Severity Metric: | 3.90
Date Public: | 2004-04-21
Date First Published: | 2004-04-23
Date Last Updated: | 2004-04-23 18:15 UTC
Document Revision: | 19