BUGTRAQ ID: 25472
BEA Systems WebLogic包含多种应用系统集成方案,包括Server/Express/Integration等。
BEA Systems WebLogic在处理SSL连接时存在漏洞,可能导致敏感信息泄露。
在某些情况下,运行在服务器环境以外的SSL客户端可能无法找到创建SSL密码组列表所需的所有密码,这就会导致使用默认的非加密密码;客户端也可能无法支持服务器中任何可用的密码组,这时服务器就会选择使用空密码的密码组,导致SSL通讯没有加密,这样攻击者就可以获取明文传输的信息。
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<a href="mailto:[email protected]" target=“_blank”>[email protected]</a>/pub/releases/security/CR319130_90_client.jar" target="_blank"><a href=“ftp://anonymous:dev2dev%<a href=” target=“_blank”>[email protected]</a>/pub/releases/security/CR319130_90_client.jar" target=“_blank”>ftp://anonymous:dev2dev%<a href="mailto:[email protected]" target=“_blank”>[email protected]</a>/pub/releases/security/CR319130_90_client.jar</a>
<a href="mailto:[email protected]" target=“_blank”>[email protected]</a>/pub/releases/security/CR319130_81sp6_client.jar" target="_blank"><a href=“ftp://anonymous:dev2dev%<a href=” target=“_blank”>[email protected]</a>/pub/releases/security/CR319130_81sp6_client.jar" target=“_blank”>ftp://anonymous:dev2dev%<a href="mailto:[email protected]" target=“_blank”>[email protected]</a>/pub/releases/security/CR319130_81sp6_client.jar</a>
<a href="mailto:[email protected]" target=“_blank”>[email protected]</a>/pub/releases/security/CR325828_70sp7.jar" target="_blank"><a href=“ftp://anonymous:dev2dev%<a href=” target=“_blank”>[email protected]</a>/pub/releases/security/CR325828_70sp7.jar" target=“_blank”>ftp://anonymous:dev2dev%<a href="mailto:[email protected]" target=“_blank”>[email protected]</a>/pub/releases/security/CR325828_70sp7.jar</a>