search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BEA WebLogic Server fails to discard cached authentication information when web applications are updated

Vulnerability Note VU#691153

Original Release Date: 2003-03-26 | Last Revised: 2003-03-26


The BEA WebLogic server contains a vulnerability that may allow authenticated users to bypass authentication for a given web application when the application has been updated.


The BEA WebLogic Server provides a feature that allows it to store user authentication information for future sessions. This product contains a vulnerability that prevents this stored information from being erased when a given web application is updated using "dynamic redeployment". As a result, users who authenticate prior to an update of a web application may be able to bypass authentication when accessing the web application after an update.

This vulnerability is particularly significant when the update to a given web application affects its authentication mechanism. The following scenario provides a possible example of the effects of this vulnerability:

    • "User A" successfully authenticates to "Web Application Z"
    • "Web Application Z" stores the authentication credentials for future sessions
    • "Web Application Z" is updated with a new authentication policy that should prevent "User A" from gaining access
    • "User A" attempts to connect to "Web Application Z"
    • "Web Application Z" grants access to "User A" based upon the previously stored credentials


This vulnerability may allow remote users to bypass the authentication mechanism of a given web application.


Apply a patch
BEA Systems Inc. has published Security Advisory BEA03-27.00 to address this vulnerability. For more information, please see

Vendor Information


BEA Systems Inc. Affected

Notified:  March 24, 2003 Updated: March 26, 2003



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


BEA Systems Inc. has published Security Advisory BEA03-27.00 to address this vulnerability. For more information, please see

CVSS Metrics

Group Score Vector



The CERT/CC thanks BEA Systems, Inc. for reporting this vulnerability.

This document was written by Jeffrey P. Lanza.

Other Information

CVE IDs: None
Severity Metric: 0.19
Date Public: 2003-03-18
Date First Published: 2003-03-26
Date Last Updated: 2003-03-26 22:27 UTC
Document Revision: 13

Sponsored by CISA.