Vulnerability Note VU#920238
BEA WebLogic Server stores database password in clear text in "config.xml"
WebLogic Server contains a vulnerability that may expose the database username and password in clear text in the config.xml file.
BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." There is a vulnerability in the WebLogic Server that may expose the database username and password for untargeted JDBC connection pools. Under certain circumstances, the database username and password may be stored in clear text within the config.xml file.
According to the BEA Security Advisory, this vulnerability occurs under the following circumstances:
The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:
A user with access to the config.xml file may acquire the database username and password. The user could subsequently use this password to access the database.
1. Upgrade to WebLogic Server and WebLogic Express version 8.1 Service Pack 2.
2. Install the patch from: ftp://ftpna.beasys.com/pub/releases/security/CR128888_81sp2.jar
WebLogic Server version 8.1 Service Pack 3 will include the functionality in this patch.
WebLogic Server and WebLogic Express version 7.0
Upgrade to WebLogic Server and WebLogic Express version 7.0 Service Pack 5.
WebLogic Server and WebLogic Express version 6.1
1. Upgrade to WebLogic Server and WebLogic Express version 6.1 Service Pack 6
2. Install the patch from: ftp://ftpna.beasys.com/pub/releases/security/CR128888_61sp6.jar
WebLogic Server version 6.1 Service Pack 7 will include the functionality in this patch.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|BEA Systems Inc.||Affected||-||19 Apr 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by BEA Systems Inc.
This document was written by Damon Morda.
- CVE IDs: Unknown
- Date Public: 14 Apr 2004
- Date First Published: 19 Apr 2004
- Date Last Updated: 19 Apr 2004
- Severity Metric: 5.94
- Document Revision: 14
If you have feedback, comments, or additional information about this vulnerability, please send us email.