SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#350350

BEA WebLogic Server stores administrator password in clear text in config.xml

Overview

BEA WebLogic Server stores the administrator password used to boot the server in clear text within the config.xml file.

I. Description

BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." There is a vulnerability in the way BEA Weblogic Server stores the administrative password used to boot the server.

According to the BEA Security Advisory,

    Due to a coding error, the administrator password used to boot the server might automatically be written in clear text to the config.xml file. A user with access to the config.xml file can obtain the password and use it to impersonate an administrator.
The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:
  • WebLogic Server and Express 8.1, released and Service Pack 1, on all platforms

II. Impact

A user with access to the config.xml file may acquire the administrator password used to boot the server. The user could subsequently use this password to impersonate an administrator.

III. Solution

Apply Patch

BEA has released an advisory to address this issue. According to the BEA Security Advisory, it is recommended that users upgrade to Service Pack 2.

Systems Affected

VendorStatusDate NotifiedDate Updated
BEA Systems Inc.Vulnerable12-Apr-2004

References


http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp
http://www.secunia.com/advisories/10728/
http://www.securityfocus.com/bid/9503/

Credit

This vulnerability was reported by BEA Systems Inc.

This document was written by Lucy Crocker.

Other Information

Date Public:2004-01-27
Date First Published:2004-04-12
Date Last Updated:2004-04-14
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:7.24
Document Revision:10

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader