Vulnerability Note VU#574222

BEA WebLogic Server configuration wizard stores administrative credentials in clear text log files

Original Release date: 23 Apr 2004 | Last revised: 23 Apr 2004

Overview

There is a vulnerability in BEA WebLogic Server in which a user with access to log files generated by the configuration wizard could obtain the administrative username and password.

Description

BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." WebLogic Server supplies a Configuration Wizard for UNIX and Windows systems that allows an administrator to use configuration templates to simplify the setup process. There is a vulnerability in the config.sh (UNIX) and config.cmd (Windows) configuration tools that could result in the administrative username and password being stored in the clear text log file produced by these tools.

The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:

  • WebLogic Server and WebLogic Express 8.1 released through Service Pack 2, on all platforms

Impact

A user with privileges to access log files produced by the configuration tools could obtain the administrative username and password.

Solution

Upgrade

    WebLogic Server and WebLogic Express version 8.1
    WebLogic Server version 8.1 Service Pack 3 will include the functionality in this patch.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
BEA Systems Inc.Affected-23 Apr 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by BEA Systems Inc.

This document was written by Damon Morda.

Other Information

  • CVE IDs: Unknown
  • Date Public: 21 Apr 2004
  • Date First Published: 23 Apr 2004
  • Date Last Updated: 23 Apr 2004
  • Severity Metric: 4.41
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.