TITLE: BEA WebLogic MBean Exposure of Configuration Information
SECUNIA ADVISORY ID: SA18396
VERIFY ADVISORY: http://secunia.com/advisories/18396/
CRITICAL: Less critical
IMPACT: Exposure of system information, Exposure of sensitive information
WHERE: >From remote
SOFTWARE: BEA WebLogic Express 6.x http://secunia.com/product/1281/ BEA WebLogic Express 7.x http://secunia.com/product/1282/ BEA WebLogic Express 8.x http://secunia.com/product/1843/ BEA WebLogic Server 6.x http://secunia.com/product/753/ BEA WebLogic Server 7.x http://secunia.com/product/754/ BEA WebLogic Server 8.x http://secunia.com/product/1360/
DESCRIPTION: A security issue has been reported in BEA WebLogic Server and WebLogic Express, which can be exploited by malicious people to disclose system information and potentially sensitive information.
The problem is that the MBeanHome for a site can be retrieved anonymously via JNDI (Java Naming and Directory Interface). This can be exploited to disclose certain configuration MBeans containing potentially sensitive configuration information.
Successful exploitation requires RMI (Remote Method Invocation) access to the site and that anonymous admin lookup has not been disabled.
The security issue has been reported in versions 6.1, 7.0, and 8.1. Other versions may also be affected.
SOLUTION: The vendor recommends to protect JNDI entries containing sensitive information, disabling anonymous admin lookup (version 7.x or later), or restricting RMI access. See the vendor advisory for more details.
PROVIDED AND/OR DISCOVERED BY: Reported by the vendor.
ORIGINAL ADVISORY: http://dev2dev.bea.com/pub/advisory/162
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.