BEA WebLogic Cleartext Administrative Information Transmission

2004-09-13T00:00:00
ID OSVDB:9978
Type osvdb
Reporter OSVDB
Modified 2004-09-13T00:00:00

Description

Vulnerability Description

BEA Systems WebLogic contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a victim enters the boot password using WebLogic Administrative Console while booting the WebLogic Server. A malicious user may capture the resulting cleartext network packets that contain administrative information on the local network of a vulnerable system. This may disclose sensitive data (i.e. the system administrator's account information) resulting in a loss of confidentiality.

Solution Description

Upgrade to version 6.1 SP 7, 7.0 SP 5, 8.1 SP 3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Enabled the Administrative Channel as outlined in the documentation.

Short Description

BEA Systems WebLogic contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a victim enters the boot password using WebLogic Administrative Console while booting the WebLogic Server. A malicious user may capture the resulting cleartext network packets that contain administrative information on the local network of a vulnerable system. This may disclose sensitive data (i.e. the system administrator's account information) resulting in a loss of confidentiality.

References:

Vendor URL: http://www.bea.com/ Vendor Specific Solution URL: http://e-docs.bea.com/wls/docs81/lockdown/practices.html Vendor Specific Solution URL: http://e-docs.bea.com/wls/docs70/lockdown/practices.html Vendor Specific Advisory URL Secunia Advisory ID:12524 Keyword: BEA04-73.00 ISS X-Force ID: 17357 Bugtraq ID: 11168