BEA WebLogic One-way SSL Session Encryption Failure

2005-10-10T04:35:37
ID OSVDB:20094
Type osvdb
Reporter OSVDB
Modified 2005-10-10T04:35:37

Description

Vulnerability Description

BEA WebLogic contains a flaw that may lead to an unauthorized information disclosure.  The problem is triggered when a client logs in by using one-way SSL without specifiying the user which results in unprotected network traffic.

Solution Description

Upgrade to version 8.1 Service Pack 4 or higher, as it has been reported to fix this vulnerability. In addition, BEA Systems has released a patch for version 7.0 Service Pack 6 and 6.1 Service Pack 7.

Short Description

BEA WebLogic contains a flaw that may lead to an unauthorized information disclosure.  The problem is triggered when a client logs in by using one-way SSL without specifiying the user which results in unprotected network traffic.

References:

Vendor URL: http://www.bea.com/ Vendor Specific Advisory URL Security Tracker: 1015029 Secunia Advisory ID:17138 Keyword: BEA05-85.00 CVE-2005-4704 Bugtraq ID: 15052