BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability
BID:9505
Info
BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability
| Bugtraq ID: | 9505 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 27 2004 12:00AM |
| Updated: | Jan 27 2004 12:00AM |
| Credit: | Announced by BEA Systems. |
| Vulnerable: |
BEA Systems WebLogic Server for Win32 8.1 SP 1 BEA Systems Weblogic Server 8.1 SP 1 BEA Systems WebLogic Express for Win32 8.1 SP 1 BEA Systems WebLogic Express 8.1 SP 1 |
| Not Vulnerable: |
BEA Systems WebLogic Server for Win32 8.1 SP 2 BEA Systems Weblogic Server 8.1 SP 2 BEA Systems WebLogic Express for Win32 8.1 SP 2 BEA Systems WebLogic Express 8.1 SP 2 |
Discussion
BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability
BEA WebLogic Server and WebLogic Express have been reported prone to a vulnerability that may allow server Operators to view sensitive credentials. The issue is reported to exist because the Operator role is erroneously assigned access to MBean attributes that contain user passwords.
An attacker, who is a member of the Operator role, may potentially exploit this vulnerability to disclose sensitive user credentials.
BEA WebLogic Server and WebLogic Express have been reported prone to a vulnerability that may allow server Operators to view sensitive credentials. The issue is reported to exist because the Operator role is erroneously assigned access to MBean attributes that contain user passwords.
An attacker, who is a member of the Operator role, may potentially exploit this vulnerability to disclose sensitive user credentials.
Exploit / POC
BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability
There is no exploit required.
There is no exploit required.
Solution / Fix
BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability
Solution:
The vendor has released an advisory (BEA04-49.00) to address this issue. The vendor has advised that customers who are affected by this issue upgrade to Service Pack 2. See referenced advisory for further details.
Solution:
The vendor has released an advisory (BEA04-49.00) to address this issue. The vendor has advised that customers who are affected by this issue upgrade to Service Pack 2. See referenced advisory for further details.
References
BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability
References:
References:
- SECURITY ADVISORY (BEA04-49.00) (BEA Systems)
- WebLogic Server Product Homepage (Oracle)