SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#470470

BEA WebLogic Server fails to properly associate re-created groups

Overview

WebLogic Server contains a vulnerability that could result in the creation of new groups inheriting the privileges of a previously deleted group if members of the deleted group still exist.

I. Description

BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." The WebLogic Authentication provider is the default authentication mechanism and allows system administrators to manage users and group memberships. Under certain circumstances, members of one group may be unintentionally granted the privileges of a legacy group. If the legacy group had administrative access, then the new group would also inherit these privileges.

According to the BEA Security Advisory,

    This vulnerability affects sites that are using the WebLogic Authentication provider as the default authentication provider in a security realm and the following sequence of events occurs.
    1. The system administrator creates a group (for example, Group1).

    2. The system administrator then creates a second group (for example, Group2).
    3. The system administrator makes Group1 a member of Group2.
    4. The system administrator deletes Group2 and then later creates it again.
    Even though Group2 is a new group, it has Group1 as a member. If Group1 has administrative privileges, now Group2 will also have administrative privileges even though it was never explicitly granted those privileges when it was created the second time.

The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:
  • WebLogic Server and WebLogic Express version 8.1 through Service Pack 2, on all platforms
  • WebLogic Server and WebLogic Express version 7.0 through Service Pack 4, on all platforms

II. Impact

A group of users may be unintentionally granted administrative privileges.

III. Solution

Upgrade

BEA has released an advisory to address this issue. According to the BEA Security Advisory, it is recommended that users take the following action:

    WebLogic Server and WebLogic Express version 8.1
    1. Upgrade to WebLogic Server and WebLogic Express version 8.1 Service Pack 2.
    3. Locate the wlSecurityProviders81.jar in the directory structure of 8.1 Service Pack 2.
    4. Replace the wlSecurityProviders81.jar with the renamed .jar file.
    WebLogic Server version 8.1 Service Pack 3 will include the functionality in this patch.
    WebLogic Server and WebLogic Express version 7.0
    1. Upgrade to WebLogic Server and WebLogic Express version 7.0 Service Pack 5.

Systems Affected
VendorStatusDate NotifiedDate Updated
BEA Systems Inc.Vulnerable16-Apr-2004

References


http://secunia.com/advisories/11356/
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_52.00.jsp
http://edocs.bea.com/wls/docs70/secmanage/providers.html#1165012

Credit

This vulnerability was reported by BEA Systems Inc.

This document was written by Damon Morda.

Other Information

Date Public:2004-04-14
Date First Published:2004-04-16
Date Last Updated:2004-04-19
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:0.52
Document Revision:20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2004 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader