Remote Administration of BEA WebLogic Server and Express Release Date: March 18, 2003 Severity: High Systems Affected: ? WebLogic Server and Express 6.0 ? WebLogic Server and Express 6.1 ? WebLogic Server and Express 7.0 Description: SPI Labs and S21sec have identified a serious vulnerability that could allow an attacker to gain unauthorized access to the applications and systems present on an affected Weblogic server. Several undocumented applications were found, which are, deployed in default configurations of Weblogic. Some of these applications are used by Weblogic for server-to-server communication during internal maintenance and administration tasks, such as source code distribution and modification. Further analysis revealed that many of these applications were not adequately protected from unauthorized use. In some cases, no authentication was required to perform administrative functions. The threat posed by the existence of these unprotected applications is severe. If an attacker can directly access a Weblogic server, it is reasonable to assume that the presence of this vulnerability can ultimately result in a compromise of the applications residing on the server. Because these applications are not intended to be user-configurable or user identifiable, no configuration workaround exists. BEA has issued a patch that corrects this issue. SPI Labs recommends that it be applied to all Weblogic installations immediately. Remediation: SPI Labs recommends the following actions: ? For WebLogic Server and Express 6.0 o Upgrade to Service Pack 2 Rolling Patch 3 and follow the instructions to apply the included patch: ? For Weblogic Server and Express 6.1 o Upgrade to Service Pack 4 and follow the instructions to apply the included patch: o When Service Pack 5 becomes available, you may use that Service Pack instead of Service Pack 4 and the patch ? For WebLogic Server and Express 7.0 released or 7.0.0.1 o Upgrade to Service Pack 2 and follow the instructions to apply the included patch: o When Service Pack 3 becomes available, you may use that Service Pack instead of Service Pack 2 and the patch Vendor Information: BEA has been notified of this issue and has released the patch information described above at the following link: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28. jsp
