Vulnerability Note VU#858990
BEA WebLogic Server fails to properly associate the user identity on subsequent client connections
BEA WebLogic Server fails to properly associate a user's identity when a client attempts to connect multiple times using different client certificates.
BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." WebLogic Server provides a feature that allows users to be issued client certificates. When connecting to the server, the client's certificate is associated with a specific user identity. There is a vulnerability in the way WebLogic Server associates client certificates with user identities. By supplying a different client certificate upon subsequent connections, the WebLogic Server may associate the client certificate with the incorrect user identity.
According to the BEA Security Advisory, the following versions of WebLogic Server and Express are affected by this vulnerability:
A user may gain access to another user's identity. According to the BEA Security Advisory, this vulnerability "allows one user to execute commands as another user."
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|BEA Systems Inc.||Affected||-||09 Apr 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by BEA Systems Inc.
This document was written by Lucy Crocker.
- CVE IDs: Unknown
- Date Public: 27 Jan 2004
- Date First Published: 09 Apr 2004
- Date Last Updated: 12 Apr 2004
- Severity Metric: 5.35
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.