BEA WebLogic MBeanHome Config Information Disclosure

2003-11-13T12:00:00
ID OSVDB:3064
Type osvdb
Reporter OSVDB
Modified 2003-11-13T12:00:00

Description

Vulnerability Description

BEA WebLogic Express and Server contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the MBeanHome is retrieved by an anonymous user, which is allowed by default. This will disclose any MBean configuration resulting in a loss of confidentiality.

Technical Description

The default settings for sites expose MBeanHome to anonymous users from JNDI with RMI access. This may expose various configuration MBeans.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing one of these vendor recommendations:

  1. Protect portions of the JNDI tree that contain sensitive data using the console. The "weblogic.management.adminhome", "weblogic.management.home.localhome" and "weblogic.management.home" entries are the ones that must be protected.
  2. On WebLogic Server 7.0 and greater, anonymous access can be disabled by setting the Anonymous Admin Lookup Enabled attribute to false.
  3. Denying RMI access to clients. This vulnerability requires RMI to access JNDI. If RMI access can be denied (e.g.: via a firewall) then this vulnerability cannot be exploited.

Short Description

BEA WebLogic Express and Server contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the MBeanHome is retrieved by an anonymous user, which is allowed by default. This will disclose any MBean configuration resulting in a loss of confidentiality.

References:

Secunia Advisory ID:18396 Secunia Advisory ID:10218 Other Advisory URL: http://dev2dev.bea.com/pub/advisory/162 ISS X-Force ID: 13752 CVE-2003-1290 Bugtraq ID: 9034