CERT-In Advisory
CIAD-2008-0055
Multiple Vulnerabilites in Oracle WebLogic Products
Original Issue Date: October 27, 2008
Severity Rating: High
Systems Affected
- Oracle WebLogic Server formerly BEA WebLogic Server 10.0 released through Maintenance Pack 1 on all platforms
- Oracle WebLogic Server formerly BEA WebLogic Server 9.2 released through Maintenance Pack 3 on all platforms
- Oracle WebLogic Server formerly BEA WebLogic Server 9.1 on all platforms
- Oracle WebLogic Server formerly BEA WebLogic Server 9.0 on all platforms
- Oracle WebLogic Server formerly BEA WebLogic Server 8.1 Service Pack 4 through Service Pack 6, on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 8.1 released through Service Pack 5 on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 10.3 GA, on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 10.2 GA, on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 10.0 released through Maintenance Pack 1, on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 9.2 released through Maintenance Pack 3, on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 9.1 GA, on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 9.0 GA, on all platforms
- Oracle Workshop for WebLogic formerly BEA WebLogic Workshop 8.1 released through Service Pack 6, on all platforms
Overview
Multiple vulnerabilities have been reported in certain versions of WebLogic Server and Weblogic Workshop, which could be exploited by malicious users and attackers to bypass certain security restrictions to cause disclosure of user information and modification of user
Description
1. Elevation of Privilege vulnerability if more than one authorizer is used
(
CVE-2008-4009
)
The vulnerability is caused in the WebLogic Server component if more than one authorizer such as a 'XACMLAuthorizer' and a 'DefaultAuthorizer' are configured due to which certain elevation of privileges may occur for some resources. This vulnerability can be remotely exploited without authentication to bypass certain security restrictions.
2. Elevation of privilege vulnerability in some NetUI tags
(
CVE-2008-4010
)
The vulnerability is caused in the WebLogic Workshop component due to an unspecified error within NetUI tags, which can be remotely exploited without authentication to access sensitive information.
3. Elevation of privileges for some applications
(
CVE-2008-4011
)
The vulnerability is caused in the WebLogic Server component.The explotation of this vulnerability allows remote authenticated users to gain access to unspecified applications running with administrative privileges.
4. Information Disclosure vulnerability in some NetUI pageflows
(
CVE-2008-4012
)
This vulnerability affects some unspecified NetUI pageflows in the WebLogic Workshop component. The vulnerability can be remotely exploited without authentication to allow users to gain elevated privileges or obtain sensitive information.
5. Proctected webapps may be displayed under certain conditions
(
CVE-2008-4013
)
This vulnerability exists in the WebLogic Server component and allows unauthorized users to access protected web applications. The vulnerability arises when 'auth-method' is used as 'CLIENT- CERT ' in versions subsequent to WebLogic Server 8.1SP3.
Solution
- For WebLogic Server version 9.1 ,Use the Smart Update tool to install the 9.1 patch for CR334468.
- For details refer Oracle BEA security Advisory available at:
https://support.bea.com/application_content/product_portlets/securityadvisories/2802.html
- For WebLogic Workshop 10.3, Use the Smart Update tool to install the 10.3 patch for CR379951.
- For WebLogic Workshop 10.2 Use the Smart Update tool to install the 10.2 patch for CR368783
- For WebLogic Workshop 10.0,
- Upgrade to WebLogic Workshop 10.0 Maintenance Pack
- Use the Smart Update tool to install the 10.0 patch for CR368782.
- For WebLogic Workshop 9.2, 9.1, 9.0
- Upgrade to WebLogic Workshop 9.2 Maintenance Pack
- Use the Smart Update tool to install the 9.2 patch for CR352906
- For WebLogic Workshop 8.1,
- Upgrade to WebLogic Workshop 8.1 Service Pack
- Download the patch from:
ftp://anonymous:dev2dev 40bea.com@ftpna.bea.com/pub/releases/security/patch_CR366139_81SP6.zip
- For WebLogic Server version 10.0
- Upgrade to WebLogic Server 10.0 Maintenance Pack
- Use the Smart Update tool to install the 10.0 MP1 patch for CR367966.
- For WebLogic Server version 9.2,
- Upgrade to WebLogic Server 9.2 Maintenance Pack
- Use the Smart Update tool to install the 9.2 patch for CR367966
- For WebLogic Server version 9.1 ,Use the Smart Update tool to install the 9.1 patch for CR367966.
- For WebLogic Server 9.0,
- Install the 9.0 GA Combo patch from support.bea.com by requesting Bug ID CR239280.
- Download the patch from:
ftp://anonymous:dev2dev 40bea.com@ftpna.bea.com/pub/releases/security/CR367966_900.jar
- For WebLogic Workshop 8.1,Upgrade to WebLogic Workshop Service Pack 6 or a newer version 9.2 or later .
- For details refer Oracle BEA security Advisory available at:
https://support.bea.com/application_content/product_portlets/securityadvisories/2805.html
ftp://anonymous:dev2dev 40bea.com@ftpna.bea.com/pub/releases/security/CR218639_900.jar
Vendor Information
Oracle
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html
http://blogs.oracle.com/security/2008/10/14
BEA Systems
https://support.bea.com/application_content/product_portlets/securityadvisories/index.html
References
Oracle BEA
https://support.bea.com/application_content/product_portlets/securityadvisories/2801.html
https://support.bea.com/application_content/product_portlets/securityadvisories/2802.html
https://support.bea.com/application_content/product_portlets/securityadvisories/2803.html
https://support.bea.com/application_content/product_portlets/securityadvisories/2804.html
Secunia
http://secunia.com/advisories/32304
http://secunia.com/advisories/32302
http://secunia.com/advisories/32303/
Security Database
http://www.security-database.com/cvss.php?alert=CVE-2008-4009
http://www.security-database.com/cvss.php?alert=CVE-2008-4010
http://www.security-database.com/cvss.php?alert=CVE-2008-4011
http://www.security-database.com/cvss.php?alert=CVE-2008-4012
SecurityTracker
http://www.securitytracker.com/alerts/2008/Oct/1021056.html
FrSIRT
http://www.frsirt.com/english/advisories/2008/2825
SecurityFocus
http://www.securityfocus.com/bid/31683/
Juniper
https://www.juniper.net/security/auto/vulnerabilities/vuln31683.html
CVE Name
CVE-2008-4009
CVE-2008-4010
CVE-2008-4011
CVE-2008-4012
CVE-2008-4013
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|