Tuesday, March 21, 2006

BEA WebLogic Vulnerabilities Patched

BEA has has released six bulletins warning of vulnerabilities affecting WebLogic Server 6.1, 7.0, 8.1 and WebLogic Portal 8.1 which could allow access to sensitive information, enable security restrictions to be avoided or cause denial of services.

- Bulletin BEA06-105.1 reports that specially crafted HTTP requests may be used to launch HTTP Request Smuggling attacks on the server. This affects WebLogic Server 8.1, 7.0 and 6.1. The bulletin is available at: http://dev2dev.bea.com/pub/advisory/177

- Bulletin BEA06-107.01 refers to the fact that an attacker is allowed too many invalid login attempts. This affects WebLogic Server 8.1 and 7.0. The bulletin is available at: http://dev2dev.bea.com/pub/advisory/178

- Bulletin BEA06-111.01 warns that the server log could be viewed remotely. This affects WebLogic Server 8.1, 7.0 and 6.1. The bulletin is available at:
http://dev2dev.bea.com/pub/advisory/179

- Bulletin BEA06-120.00 describes an internal servlet that allows access to the Windows local file system. This affects WebLogic Server 6.1. http://dev2dev.bea.com/pub/advisory/180

- Bulletin BEA06-122.00 reports an unauthorized access vulnerability in WebLogic Portal 8.1 sites using Portlets JSR-168. http://dev2dev.bea.com/pub/advisory/182

-Bulletin BEA06-123.00 concerns a denial of service vulnerability due to consumption of all memory resources on parsing malicious XML documents. This affects WebLogic Server 8.1, 7.0 and 6.1. The bulletin is available at: http://dev2dev.bea.com/pub/advisory/183

Users affected by the problems in WebLogic Server and WebLogic Portal should refer to the BEA bulletins -available from http://dev2dev.bea.com/advisoriesnotifications/-, and take the security measures indicated.