BEA WebLogic Server And WebLogic Express Configuration Log Files Plain Text Password Vulnerability
BID:10188
Info
BEA WebLogic Server And WebLogic Express Configuration Log Files Plain Text Password Vulnerability
| Bugtraq ID: | 10188 |
| Class: | Design Error |
| CVE: |
CVE-2004-0712 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 21 2004 12:00AM |
| Updated: | Jul 12 2009 04:06AM |
| Credit: | This issue was disclosed in the referenced vendor advisory. |
| Vulnerable: |
BEA Systems WebLogic Server for Win32 8.1 SP 2 BEA Systems WebLogic Server for Win32 8.1 SP 1 BEA Systems WebLogic Server for Win32 8.1 BEA Systems Weblogic Server 8.1 SP 2 BEA Systems Weblogic Server 8.1 SP 1 BEA Systems Weblogic Server 8.1 BEA Systems WebLogic Express for Win32 8.1 SP 2 BEA Systems WebLogic Express for Win32 8.1 SP 1 BEA Systems WebLogic Express for Win32 8.1 BEA Systems WebLogic Express 8.1 SP 2 BEA Systems WebLogic Express 8.1 SP 1 BEA Systems WebLogic Express 8.1 |
| Not Vulnerable: | |
Discussion
BEA WebLogic Server And WebLogic Express Configuration Log Files Plain Text Password Vulnerability
Reportedly BEA WebLogic Server and WebLogic Express are affected by a log file plain text password vulnerability. This issue is due to a design error that causes the affected configuration applications to display plain text passwords when producing log files.
Any local attacker may be able to leverage this issue to be able to authenticate to the affected system as an administrator.
Reportedly BEA WebLogic Server and WebLogic Express are affected by a log file plain text password vulnerability. This issue is due to a design error that causes the affected configuration applications to display plain text passwords when producing log files.
Any local attacker may be able to leverage this issue to be able to authenticate to the affected system as an administrator.
Exploit / POC
BEA WebLogic Server And WebLogic Express Configuration Log Files Plain Text Password Vulnerability
An exploit is not required to leverage this issue.
An exploit is not required to leverage this issue.
Solution / Fix
BEA WebLogic Server And WebLogic Express Configuration Log Files Plain Text Password Vulnerability
Solution:
BEA Systems Inc. has released advisory BEA04-58.00 as well as fixes dealing with this issue. They have advised that users upgrade to the WebLogic Server and WebLogic Express version 8.1 Service Pack. Please see the referenced advisory for more information.
BEA Systems Weblogic Server 8.1 SP 2
BEA Systems WebLogic Server for Win32 8.1 SP 2
BEA Systems WebLogic Express for Win32 8.1 SP 2
BEA Systems WebLogic Express 8.1 SP 2
Solution:
BEA Systems Inc. has released advisory BEA04-58.00 as well as fixes dealing with this issue. They have advised that users upgrade to the WebLogic Server and WebLogic Express version 8.1 Service Pack. Please see the referenced advisory for more information.
BEA Systems Weblogic Server 8.1 SP 2
-
BEA Systems CR135189_81sp2patch.jar
ftp://ftpna.beasys.com/pub/releases/security/CR135189_81sp2patch.jar
BEA Systems WebLogic Server for Win32 8.1 SP 2
-
BEA Systems CR135189_81sp2patch.jar
ftp://ftpna.beasys.com/pub/releases/security/CR135189_81sp2patch.jar
BEA Systems WebLogic Express for Win32 8.1 SP 2
-
BEA Systems CR135189_81sp2patch.jar
ftp://ftpna.beasys.com/pub/releases/security/CR135189_81sp2patch.jar
BEA Systems WebLogic Express 8.1 SP 2
-
BEA Systems CR135189_81sp2patch.jar
ftp://ftpna.beasys.com/pub/releases/security/CR135189_81sp2patch.jar
References
BEA WebLogic Server And WebLogic Express Configuration Log Files Plain Text Password Vulnerability
References:
References:
- Security Advisory: (BEA04-58.00) (BEA Systems)
- WebLogic Server Product Homepage (Oracle)