BEA WebLogic Server空密码组信息泄露漏洞

2007-09-03T00:00:00
ID SSV:2184
Type seebug
Reporter Root
Modified 2007-09-03T00:00:00

Description

BUGTRAQ ID: 25472

BEA Systems WebLogic包含多种应用系统集成方案,包括Server/Express/Integration等。

BEA Systems WebLogic在处理SSL连接时存在漏洞,可能导致敏感信息泄露。

在某些情况下,运行在服务器环境以外的SSL客户端可能无法找到创建SSL密码组列表所需的所有密码,这就会导致使用默认的非加密密码;客户端也可能无法支持服务器中任何可用的密码组,这时服务器就会选择使用空密码的密码组,导致SSL通讯没有加密,这样攻击者就可以获取明文传输的信息。

BEA Systems Weblogic Server 9.2 BEA Systems Weblogic Server 9.1 BEA Systems Weblogic Server 9.0 BEA Systems Weblogic Server 8.1 BEA Systems Weblogic Server 7.0 BEA Systems Weblogic Server 10.0 BEA Systems


目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR319130_90_client.jar" target="_blank"><a href="ftp://anonymous:dev2dev%<a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR319130_90_client.jar" target="_blank">ftp://anonymous:dev2dev%<a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR319130_90_client.jar</a> <a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR319130_81sp6_client.jar" target="_blank"><a href="ftp://anonymous:dev2dev%<a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR319130_81sp6_client.jar" target="_blank">ftp://anonymous:dev2dev%<a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR319130_81sp6_client.jar</a> <a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR325828_70sp7.jar" target="_blank"><a href="ftp://anonymous:dev2dev%<a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR325828_70sp7.jar" target="_blank">ftp://anonymous:dev2dev%<a href="mailto:40bea.com@ftpna.bea.com" target="_blank">40bea.com@ftpna.bea.com</a>/pub/releases/security/CR325828_70sp7.jar</a>