Vulnerability Note VU#331937

BEA WebLogic Server "ResourceAllocationException" exception may disclose user password

Original Release date: 15 Jan 2003 | Last revised: 20 Jan 2003

Overview

A vulnerability in BEA's WebLogic Server may disclose sensitive information.

Description

From the BEA WebLogic Server 7.0 Overview:

    BEA WebLogic Server is a fully featured, standards-based application server providing the foundation on which an enterprise can build its applications.

BEA released a security advisory (BEA03-24.00) detailing an information disclosure vulnerability. Quoting from BEA03-24.00:
    This vulnerability concerns the display of the system password.  If an application is using a bridge to route messages to a JMS target domain, and either that domain is not available, or a configuration problem prevents the obtaining of an initial context for the JMS target domain, WebLogic Server throws a ResourceAllocationException that may include the user’s password.

Impact

A remote attacker may be able to gain access to the system password.

Solution

Apply a patch.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BEA Systems Inc.Affected-15 Jan 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Our thanks to BEA Systems for providing BEA03-24.00.

This document was written by Ian A Finlay.

Other Information

  • CVE IDs: Unknown
  • Date Public: 11 Jan 2003
  • Date First Published: 15 Jan 2003
  • Date Last Updated: 20 Jan 2003
  • Severity Metric: 17.28
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.