BEA WebLogic Authentication Provider Privilege Inheritance Vulnerability
BID:10130
Info
BEA WebLogic Authentication Provider Privilege Inheritance Vulnerability
| Bugtraq ID: | 10130 |
| Class: | Access Validation Error |
| CVE: |
CVE-2004-0715 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 13 2004 12:00AM |
| Updated: | Jul 12 2009 04:06AM |
| Credit: | This issue was announced in the referenced vendor advisory. |
| Vulnerable: |
BEA Systems WebLogic Server for Win32 8.1 SP 2 BEA Systems WebLogic Server for Win32 8.1 SP 1 BEA Systems WebLogic Server for Win32 8.1 BEA Systems WebLogic Server for Win32 7.0 SP 4 BEA Systems WebLogic Server for Win32 7.0 SP 3 BEA Systems WebLogic Server for Win32 7.0 SP 2 BEA Systems WebLogic Server for Win32 7.0 SP 1 BEA Systems WebLogic Server for Win32 7.0 BEA Systems Weblogic Server 8.1 SP 2 BEA Systems Weblogic Server 8.1 SP 1 BEA Systems Weblogic Server 8.1 BEA Systems Weblogic Server 7.0 SP 4 BEA Systems Weblogic Server 7.0 SP 3 BEA Systems Weblogic Server 7.0 SP 2 BEA Systems Weblogic Server 7.0 SP 1 BEA Systems Weblogic Server 7.0 BEA Systems WebLogic Express for Win32 8.1 SP 2 BEA Systems WebLogic Express for Win32 8.1 SP 1 BEA Systems WebLogic Express for Win32 8.1 BEA Systems WebLogic Express for Win32 7.0 SP 4 BEA Systems WebLogic Express for Win32 7.0 SP 3 BEA Systems WebLogic Express for Win32 7.0 SP 2 BEA Systems WebLogic Express for Win32 7.0 SP 1 BEA Systems WebLogic Express for Win32 7.0 BEA Systems WebLogic Express 8.1 SP 2 BEA Systems WebLogic Express 8.1 SP 1 BEA Systems WebLogic Express 8.1 BEA Systems WebLogic Express 7.0 SP 4 BEA Systems WebLogic Express 7.0 SP 3 BEA Systems WebLogic Express 7.0 SP 2 BEA Systems WebLogic Express 7.0 SP 1 BEA Systems WebLogic Express 7.0 |
| Not Vulnerable: |
BEA Systems WebLogic Server for Win32 7.0 SP 5 BEA Systems Weblogic Server 7.0 SP 5 BEA Systems WebLogic Express for Win32 7.0 SP 5 BEA Systems WebLogic Express 7.0 SP 5 |
Discussion
BEA WebLogic Authentication Provider Privilege Inheritance Vulnerability
BEA WebLogic Server and Express are prone to an issue that may cause administrative privileges to be inherited by a secondary group that these permissions have not been explicitly granted to. This issue exists in the default Authentication provider and may allow for unauthorized administrative access to a security realm.
BEA WebLogic Server and Express are prone to an issue that may cause administrative privileges to be inherited by a secondary group that these permissions have not been explicitly granted to. This issue exists in the default Authentication provider and may allow for unauthorized administrative access to a security realm.
Exploit / POC
BEA WebLogic Authentication Provider Privilege Inheritance Vulnerability
Exploit code would not be required for this issue although it may occur inadvertently when an administrator is deleting and creating new groups.
Exploit code would not be required for this issue although it may occur inadvertently when an administrator is deleting and creating new groups.
Solution / Fix
BEA WebLogic Authentication Provider Privilege Inheritance Vulnerability
Solution:
BEA Systems has released SECURITY ADVISORY (BEA04-52.01), which supersedes the initial BEA04-52.00 advisory. This advisory includes updated resolution information for WebLogic 8.1.
Users of WebLogic 7.0 are advised to upgrade to WebLogic 7.0 SP 5. Patch information has also been provided for WebLogic 8.1 SP 2. Users of WebLogic 8.1 will be required to upgrade to SP 2 before applying the available patch. Please see the attached advisory for further details.
Solution:
BEA Systems has released SECURITY ADVISORY (BEA04-52.01), which supersedes the initial BEA04-52.00 advisory. This advisory includes updated resolution information for WebLogic 8.1.
Users of WebLogic 7.0 are advised to upgrade to WebLogic 7.0 SP 5. Patch information has also been provided for WebLogic 8.1 SP 2. Users of WebLogic 8.1 will be required to upgrade to SP 2 before applying the available patch. Please see the attached advisory for further details.
References
BEA WebLogic Authentication Provider Privilege Inheritance Vulnerability
References:
References:
- SECURITY ADVISORY (BEA04-52.00) (BEA Systems)
- SECURITY ADVISORY (BEA04-52.01) (BEA Systems)