search menu icon-carat-right cmu-wordmark

CERT Coordination Center

BEA WebLogic Server fails to properly associate the user identity on subsequent client connections

Vulnerability Note VU#858990

Original Release Date: 2004-04-09 | Last Revised: 2004-04-12

Overview

BEA WebLogic Server fails to properly associate a user's identity when a client attempts to connect multiple times using different client certificates.

Description

BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." WebLogic Server provides a feature that allows users to be issued client certificates. When connecting to the server, the client's certificate is associated with a specific user identity. There is a vulnerability in the way WebLogic Server associates client certificates with user identities. By supplying a different client certificate upon subsequent connections, the WebLogic Server may associate the client certificate with the incorrect user identity.

According to the BEA Security Advisory, the following versions of WebLogic Server and Express are affected by this vulnerability:

    • WebLogic Server and Express 7.0, released through Service Pack 4, all platforms

Impact

A user may gain access to another user's identity. According to the BEA Security Advisory, this vulnerability "allows one user to execute commands as another user."

Solution

Apply PatchBEA has released a patch to address this vulnerability. According to the BEA Security Advisory, it is recommended that users upgrade to Service Pack 4 and apply the patch.

Vendor Information

858990
 
Affected   Unknown   Unaffected

BEA Systems Inc.

Updated:  April 09, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to BEA Security Advisory BEA04-47.00.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

This vulnerability was reported by BEA Systems Inc.

This document was written by Lucy Crocker.

Other Information

CVE IDs: None
Severity Metric: 5.35
Date Public: 2004-01-27
Date First Published: 2004-04-09
Date Last Updated: 2004-04-12 16:18 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.