search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BEA WebLogic Server configuration wizard stores administrative credentials in clear text log files

Vulnerability Note VU#574222

Original Release Date: 2004-04-23 | Last Revised: 2004-04-23


There is a vulnerability in BEA WebLogic Server in which a user with access to log files generated by the configuration wizard could obtain the administrative username and password.


BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." WebLogic Server supplies a Configuration Wizard for UNIX and Windows systems that allows an administrator to use configuration templates to simplify the setup process. There is a vulnerability in the (UNIX) and config.cmd (Windows) configuration tools that could result in the administrative username and password being stored in the clear text log file produced by these tools.

The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:

    • WebLogic Server and WebLogic Express 8.1 released through Service Pack 2, on all platforms


A user with privileges to access log files produced by the configuration tools could obtain the administrative username and password.


WebLogic Server and WebLogic Express version 8.1

1. Upgrade to WebLogic Server and WebLogic Express version 8.1 Service Pack 2.
2. Install the patch from:

WebLogic Server version 8.1 Service Pack 3 will include the functionality in this patch.

Vendor Information


BEA Systems Inc. Affected

Updated:  April 23, 2004



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please refer to BEA Security Advisory BEA04-58.00.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was reported by BEA Systems Inc.

This document was written by Damon Morda.

Other Information

CVE IDs: None
Severity Metric: 4.41
Date Public: 2004-04-21
Date First Published: 2004-04-23
Date Last Updated: 2004-04-23 20:20 UTC
Document Revision: 14

Sponsored by CISA.