CERT-In Advisory CIAD-2008-55
Multiple Vulnerabilites in Oracle WebLogic Products
Original issue date:
October 27, 2008
Severity Rating:
Medium
Systems Affected
- Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through Maintenance Pack 1 on all platforms
- Oracle WebLogic Server (formerly BEA WebLogic Server) 9.2 released through Maintenance Pack 3 on all platforms
- Oracle WebLogic Server (formerly BEA WebLogic Server) 9.1 on all platforms
- Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 on all platforms
- Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 Service Pack 4 through Service Pack 6, on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 8.1 released through Service Pack 5 on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 10.3 GA, on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 10.2 GA, on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 10.0 released through Maintenance Pack 1, on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 9.2 released through Maintenance Pack 3, on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 9.1 GA, on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 9.0 GA, on all platforms
- Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 8.1 released through Service Pack 6, on all platforms
Overview
Multiple vulnerabilities have been reported in certain versions of WebLogic Server and Weblogic Workshop, which could be exploited by malicious users and attackers to bypass certain security restrictions to cause disclosure of user information and modification of user information.
Description
Several vulnerabilities have been reported in WebLogic Server and Weblogic Workshop which could be exploited by malicious users to affect confidentiality, integrity, and availability via unknown vectors. For reference, these vulnerabilities have been addressed in CERT-In Advisory CIAD-2008-50
1. Elevation of Privilege vulnerability if more than one authorizer is used (CVE-2008- 4009)
The vulnerability is caused in the WebLogic Server component if more than one authorizer such as a 'XACMLAuthorizer' and a 'DefaultAuthorizer' are configured due to which certain elevation of privileges may occur for some resources. This vulnerability can be remotely exploited without authentication to bypass certain security restrictions.
Solutions
2. Elevation of privilege vulnerability in some NetUI tags (CVE-2008-4010)
The vulnerability is caused in the WebLogic Workshop component due to an unspecified error within NetUI tags, which can be remotely exploited without authentication to access sensitive information.
Solutions
- For WebLogic Workshop 10.3, Use the Smart Update tool to install the 10.3 patch for CR379951.
- For WebLogic Workshop 10.2 Use the Smart Update tool to install the 10.2 patch for CR368783
- For WebLogic Workshop 10.0,
- Upgrade to WebLogic Workshop 10.0 Maintenance Pack
- Use the Smart Update tool to install the 10.0 patch for CR368782.
- For WebLogic Workshop 9.2, 9.1, 9.0
- Upgrade to WebLogic Workshop 9.2 Maintenance Pack
- Use the Smart Update tool to install the 9.2 patch for CR352906
- For WebLogic Workshop 8.1,
- For details refer Oracle BEA security Advisory available at:
https://support.bea.com/application_content/product_portlets/
securityadvisories/2803.html
3. Elevation of privileges for some applications
(CVE-2008-4011)
The vulnerability is caused in the WebLogic Server component.The explotation of this vulnerability allows remote authenticated users to gain access to unspecified applications running with administrative privileges.
Solutions
- For WebLogic Server version 10.0
- Upgrade to WebLogic Server 10.0 Maintenance Pack
- Use the Smart Update tool to install the 10.0 MP1 patch for CR367966.
- For WebLogic Server version 9.2,
- Upgrade to WebLogic Server 9.2 Maintenance Pack
- Use the Smart Update tool to install the 9.2 patch for CR367966
- For WebLogic Server version 9.1 ,Use the Smart Update tool to install the 9.1 patch for CR367966.
- For WebLogic Server 9.0,
- For details refer Oracle BEA security Advisory available at:
https://support.bea.com/application_content/product
_portlets/securityadvisories/2804.html
4. Information Disclosure vulnerability in some NetUI pageflows (CVE-2008-4012)
This vulnerability affects some unspecified NetUI pageflows in the WebLogic Workshop component. The vulnerability can be remotely exploited without authentication to allow users to gain elevated privileges or obtain sensitive information.
Solutions
5. Proctected webapps may be displayed under certain conditions (CVE-2008-4013)
This vulnerability exists in the WebLogic Server component and allows unauthorized users to access protected web applications. The vulnerability arises when 'auth-method' is used as 'CLIENT- CERT ' in versions subsequent to WebLogic Server 8.1SP3.
Solutions
- For WebLogic Server version 10.0
- Upgrade to WebLogic Server 10.0 Maintenance Pack
- Use the Smart Update tool to install the 10.0 MP1 patch for CR218639
- For WebLogic Server version 9.2
- Upgrade to WebLogic Server 9.2 Maintenance Pack
- Use the Smart Update tool to install the 9.2 patch for CR218639
- For WebLogic Server version 9.1 ,Use the Smart Update tool to install the 9.1 patch for CR218639
- For WebLogic Server 9.0,
- For details refer Oracle BEA security Advisory available at:
https://support.bea.com/application_content/
product_portlets/securityadvisories/2801.html
Vendor Information Oracle
http://www.oracle.com/technology/deploy/security/
critical-patch-updates/cpuoct2008.html
http://blogs.oracle.com/security/2008/10/14
BEA Systems
https://support.bea.com/application_content/product_portlets/
securityadvisories/index.html
References
Oracle BEA
https://support.bea.com/application_content/product_portlets/
securityadvisories/2801.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2802.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2803.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2804.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2805.html
Secunia
http://secunia.com/advisories/32304
http://secunia.com/advisories/32302
http://secunia.com/advisories/32303/
http://secunia.com/Advisories/32301
Security Database
http://www.security-database.com/cvss.php?alert=CVE-2008-4009
http://www.security-database.com/cvss.php?alert=CVE-2008-4010
http://www.security-database.com/cvss.php?alert=CVE-2008-4011
http://www.security-database.com/cvss.php?alert=CVE-2008-4012
http://www.security-database.com/cvss.php?alert=CVE-2008-4013
SecurityTracker
http://www.securitytracker.com/alerts/2008/Oct/1021056.html
FrSIRT
http://www.frsirt.com/english/advisories/2008/2825
SecurityFocus
http://www.securityfocus.com/bid/31683/
Juniper
https://www.juniper.net/security/auto/vulnerabilities/vuln31683.html
CVE Name
CVE-2008-4009
CVE-2008-4010
CVE-2008-4011
CVE-2008-4012
CVE-2008-4013 Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
