Info

Disclosure

May 12, 2004

Discovery

Unknown

Dates

Exploit

May 12, 2004

Solution

Unknown

Description

BEA WebLogic Express and Server contains a flaw that may allow unprivilege Admin and Operator security roles start and stop server. The issue is due to the start and stop policies for Admin and Operator security roles aren't properly enforced. It is possible that the flaw may allow a local attacker to arbitrarily start and stop the webserver, resulting in a loss of availability.

Classification

Location: Local Access Required
Attack Type: Misconfiguration
Impact: Loss of Availability
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Upgrade to WebLogic Server and WebLogic Express version 8.1 SP2 or WebLogic Server and WebLogic Express version 7.0 SP5 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

BEA Systems, Inc.	WebLogic Express	7.0
		7.0 SP1
		7.0 SP2
		7.0 SP3
		7.0 SP4
		8.1
		8.1 SP1
	WebLogic Server	7.0
		7.0 SP1
		7.0 SP2
		7.0 SP3
		7.0 SP4
		8.1
		8.1 SP1

References

Vendor Specific Solution URL: ftp://ftpna.beasys.com/pub/releases/security/CR173632_81sp2.jar ftp://ftpna.beasys.com/pub/releases/security/CR173632_70sp5.jar
Security Tracker: 1010129
Bugtraq ID: 10327
Secunia Advisory ID: 11594
ISS X-Force ID: 16121
CVE ID: 2004-0471 (see also: NVD)
Vendor Specific Advisory URL: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_60.00.jsp
Other Advisory URL: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_60.00.jsp

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

BEA Systems, Inc.

WebLogic Express

WebLogic Server

References

Credit