Vulnerability Note VU#658878
BEA WebLogic Server allows unauthorized removal of EJB objects
There is a vulnerability in the BEA WebLogic Server that could allow the unauthorized removal of an Enterprise JavaBean (EJB).
BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." The WebLogic server supports the use of Enterprise JavaBean (EJB) applications. EJB is a component architecture used for building distributed, object-oriented business applications.
When designing an EJB application, there are various methods used to provide an interface with the WebLogic Server. There is a vulnerability in the way WebLogic Server handles calls to the remove() method. When an application implements this remove() method, the application can remove a stateful EJB object from a remote view even if that application does not have permission to remove it.
Enterprise JavaBean applications implementing the remove() method could allow unauthorized users to remove EJB objects from remote views.
1. Upgrade to WebLogic Server and WebLogic Express version 8.1 Service Pack 2.
2. Install the patch from: ftp://ftpna.beasys.com/pub/releases/security/CR134122_810sp2.jar
1. Upgrade to WebLogic Server and WebLogic Express version 6.1 Service Pack 6
2. Install the patch from: ftp://ftpna.beasys.com/pub/releases/security/CR134122_610sp6.jar
WebLogic Server version 6.1 Service Pack 7 will include the functionality in this patch.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|BEA Systems Inc.||Affected||-||23 Apr 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by BEA Systems Inc.
This document was written by Damon Morda.
- CVE IDs: Unknown
- Date Public: 21 Apr 2004
- Date First Published: 23 Apr 2004
- Date Last Updated: 23 Apr 2004
- Severity Metric: 3.90
- Document Revision: 17
If you have feedback, comments, or additional information about this vulnerability, please send us email.