NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Secunia Advisories> 2003-q3

[sec-adv] BEA WebLogic Server / Express Node Manager Plain Text Password Vulnerability

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Fri Jul 11 2003 - 04:37:28 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

TITLE:
BEA WebLogic Server / Express Node Manager Plain Text Password
Vulnerability

READ ONLINE:
http://www.secunia.com/advisories/9230/

CRITICAL:
Less critical

IMPACT:
Exposure of sensitive information

WHERE:
Local system

SOFTWARE:
BEA WebLogic Express 7.x
BEA WebLogic Express 6.x
BEA WebLogic Server 7.x
BEA WebLogic Server 6.x

DESCRIPTION:
A vulnerability has been identified in certain versions of BEA
WebLogic Server and Express, which can be exploited by malicious,
local users to gain knowledge of sensitive information.

The problem is that the Node Manager Keyfile password is passed on
the command line in plain text. Anyone with access to the machine can
therefore gain knowledge of this by using various tools to view the
command line of other machines.

The following versions are affected:

- WebLogic Server and Express 6.1 (all platforms)
- WebLogic Server and Express 7.0 and 7.0.0.1 (all platforms)

NOTE: The vulnerability only occurs when the Node Manager is in use
and users other than those in WebLogic Server Admin and Operator
roles have access to process listings on the machine.

SOLUTION:
Apply patch.

WebLogic Server and Express 7.0 and 7.0.0.1 (requires SP2):
ftp://ftpna.beasys.com/pub/releases/security/CR093813_70sp2.zip

WebLogic Server and Express 6.1 (requires SP5):
ftp://ftpna.beasys.com/pub/releases/security/CR093813_61sp5.zip

ORIGINAL ADVISORY:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-34.jsp

----------------------------------------------------------------------

Secunia recommends that you verify all advisories you receive, by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

Contact details:
Web : http://www.secunia.com/
E-mail : supportsecunia.com
Tel : +44 (0) 20 7016 2693
Fax : +44 (0) 20 7637 0419

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]