BEA WebLogic Server Unauthenticated Access Vulnerability (BEA03-28)

Vulnerability Key Information Vulnerability Title: Remote Administration of BEA WebLogic Server and Express Release Date: March 18, 2003 Severity: High Affected Systems: WebLogic Server and Express 6.0 WebLogic Server and Express 6.1 WebLogic Server and Express 7.0 Vulnerability Description: SPI Labs and S21sec discovered a critical vulnerability that allows attackers to gain unauthorized access to applications and systems running on affected WebLogic servers. In the default configuration of WebLogic, several undocumented applications were found, some of which are used for inter-server communication, including internal maintenance and management tasks such as source code distribution and modification. Further analysis revealed that many of these applications are inadequately protected against unauthorized use; in some cases, administrative functions can be executed without authentication. The presence of these unprotected applications poses a serious threat. If an attacker can directly access the WebLogic server, it can be assumed that this vulnerability will ultimately lead to attacks on applications hosted on the server. Remediation Recommendations: SPI Labs recommends the following actions: For WebLogic Server and Express 6.0: Upgrade to Service Pack 2 Rollup Patch 3 and apply the included patches as instructed. For WebLogic Server and Express 6.1: Upgrade to Service Pack 4 and apply the included patches as instructed. For WebLogic Server and Express 7.0 (release version or 7.0.0.1): Upgrade to Service Pack 2 and apply the included patches as instructed. When available, Service Pack 5 and Service Pack 3 can be used in place of Service Pack 4 and Service Pack 2, respectively. Vendor Information: BEA has been made aware of this issue and has released the above patch information. For more details, see: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp

Goal Reached Thanks to every supporter — we hit 100%!

BEA WebLogic Server Unauthenticated Access Vulnerability (BEA03-28)