The BEA WebLogic server contains a vulnerability that may allow authenticated users to bypass authentication for a given web application when the application has been updated.
The BEA WebLogic Server provides a feature that allows it to store user authentication information for future sessions. This product contains a vulnerability that prevents this stored information from being erased when a given web application is updated using "dynamic redeployment". As a result, users who authenticate prior to an update of a web application may be able to bypass authentication when accessing the web application after an update.
This vulnerability is particularly significant when the update to a given web application affects its authentication mechanism. The following scenario provides a possible example of the effects of this vulnerability:
This vulnerability may allow remote users to bypass the authentication mechanism of a given web application.
Apply a patch
The CERT/CC thanks BEA Systems, Inc. for reporting this vulnerability.
This document was written by Jeffrey P. Lanza.
|Date First Published:||2003-03-26|
|Date Last Updated:||2003-03-26 22:27 UTC|