BEA WebLogic May Write Administrator Password in Clear Text to 'config.xml'
|
|
SecurityTracker Alert ID: 1008868
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 27 2004
|
Impact: Disclosure of authentication information, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 8.1 (including SP1)
|
Description: A vulnerability was reported in BEA WebLogic Server and Express version 8.1 (including Service Pack 1). A local user may be able to view the administrator's password.
It is reported that the 'config.xml' file may contain the administrator password used to boot the server. The password will reportedly be in clear text.
|
Impact: A local user may be able to view the administrative password.
|
Solution: BEA has issued a fix (Service Pack 2) for WebLogic Server and Express 8.1.
|
Vendor URL: dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 27 Jan 2004 01:27:25 -0500
Subject: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp
|
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp
> SECURITY ADVISORY (BEA04-50.00)
> Minor Subject: Upgrade available to protect password.
A vulnerability was reported in BEA WebLogic Server and Express version 8.1 (including
Service Pack 1). It is reported that the 'config.xml' file may contain the administrator
password used to boot the server.
BEA has issued a fix (Service Pack 2) for WebLogic Server and Express 8.1.
--
> Threat level: Low - It requires a user to have read access to a config.xml file for
> a production domain.
> Severity: High - The administrator's password may be compromised.
|
|
