SecurityTracker.com Archives - BEA WebLogic role-name Tag Error May Let Remote Users Access Applications

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > WebLogic

Vendors: BEA Systems

BEA WebLogic role-name Tag Error May Let Remote Users Access Applications

SecurityTracker Alert ID: 1010602

SecurityTracker URL: http://securitytracker.com/id?1010602

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jun 29 2004

Impact: User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 7.0, 8.1

Description: A vulnerability was reported in BEA's WebLogic Server and WebLogic Express in the interpretation of certain "role-name" tags. A remote authenticated user may be able to gain access to application functions.

BEA Systems reported that if a web application has specified a role of name "*" in a <role-name> tag contained within a <security-constraint> tag, then access restrictions can be bypassed in certain cases.

According to the report, the Servlet 2.3 specification indicates that an asterik in the role-name is defined to refer to all roles in the web application. However, the WebLogic Server interprets an asterik to refer to any user. As a result, a remote authenticated user that has no defined roles can access the application.

Impact: A remote user may be able to gain unauthorized access to an application.

Solution: BEA has provided the following solution recommendations [quoted]:

For WebLogic Server and WebLogic Express version 8.1 or WebLogic Server and WebLogic Express version 7.0:

Remove the * role name from all web.xml files where the intended meaning of * was to
restrict users who are not in roles defined in the current Web application. Replace this with a <role-name> tag for each role defined in the web.xml file.

Or

For WebLogic Server and WebLogic Express version 8.1:

* Upgrade to Service Pack 2 and apply the patch available from:
ftp://ftpna.beasys.com/pub/releases/security/CR175310_810sp2.jar

For WebLogic Server and WebLogic Express version 7.0:

* Upgrade to Service Pack 5 and apply the patch available from:
ftp://ftpna.beasys.com/pub/releases/security/CR175310_700sp5.jar

Vendor URL: dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_64.00.jsp (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History: None.

Source Message Contents

Date: Mon, 28 Jun 2004 23:30:08 -0400
Subject: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_64.00.jsp

 

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_64.00.jsp

 > Security Advisory: (BEA04-64.00)
 >
 > From: BEA Systems Inc.
 >
 > Minor Subject: Patches available to protect Web Applications
 >
 > Product(s) Affected: WebLogic Server and WebLogic Express
 >
 > Threat level: Low - Relies on the use of a relatively obscure portion of the Servlet 2.3
 > specification in the Web application’s deployment descriptor.
 >
 > Severity: Low - A successful exploitation can result in some application security being
 > bypassed.

BEA Systems reported that if a Web application has specified a role of name "*" in a 
<role-name> tag contained within a <security-constraint> tag, then access restrictions ca
n 
be bypassed in certain cases.  According to the report, the Servlet 2.3 specification 
indicates that an asterik in the role-name is defined to refer to all roles in the web 
application. However, the WebLogic Server interprets an asterik to refer to any user.  As 
a result, a remote authenticated user that has no defined roles can access the application.

WebLogic Server and WebLogic Express 7.0 and 8.1 are affected.

BEA has provided the following solution recommendations [quoted]:

For WebLogic Server and WebLogic Express version 8.1 or WebLogic Server and WebLogic 
Express version 7.0:

Remove the * role name from all web.xml files where the intended meaning of * was to 
restrict users who are not in roles defined in the current Web application. Replace this 
with a <role-name> tag for each role defined in the web.xml file.

Or

For WebLogic Server and WebLogic Express version 8.1:

     * Upgrade to Service Pack 2 and apply the patch available from:
       ftp://ftpna.beasys.com/pub/releases/security/CR175310_810sp2.jar

       WebLogic Server version 8.1 Service Pack 3 will include the functionality in
       this patch.



For WebLogic Server and WebLogic Express version 7.0:

     * Upgrade to Service Pack 5 and apply the patch available from:
       ftp://ftpna.beasys.com/pub/releases/security/CR175310_700sp5.jar

       WebLogic Server version 7.0 Service Pack 6 will include the functionality in
       this patch.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2004, SecurityGlobal.net LLC