3/20/03
CAN 2003-0151
WebLogic Server contains an internal, undocumented servlet
which it uses for its file upload function. This servlet
is publicly available and does not require authentication,
so a remote attacker could bypass access restrictions for
uploads by accessing the servlet directly. By uploading
malicious applications in this manner, it could be possible
for an attacker to execute commands with the permissions of
the WebLogic server. Furthermore, the servlet offers
additional operations which allow downloads of arbitrary
files, and retrieval of WebLogic users, groups, and hashed
passwords. WebLogic 6.0, 6.1, and 7.0 on all platforms
are affected by this vulnerability.
1/14/03
In some circumstances, it may be possible for a remote
attacker to view a users password, which could then be used
to gain access to the server. This problem can only
be exploited if an application on the server is using a
bridge to route messages to a JMS target domain, and an
error occurs resulting in a resource allocation exception.
The password is included in the exception output.
WebLogic 6.1 prior to Service Pack 4, 7.0 prior to Service Pack 2, and 7.0.0.1 are affected.
7/12/02
CVE 2002-1030
Due to a race condition in the WebLogic server code, a
remote attacker could crash the WebLogic server if the
Performance Pack is enabled, as is the case in a
default installation. WebLogic version 5.1 prior to
Service Pack 13, version 6.0 prior to Service Pack 2 with Rolling
Pack 4, version 6.1 prior to Service Pack 4, and version 7.0 prior to
Service Pack 1 on Windows platforms are affected by this
vulnerability if unpatched.
5/1/02
A flaw in the processing of HTTP requests could allow a
remote attacker to bypass normal restrictions by submitting
a specially crafted URL containing a null character.
This could allow the attacker to view the source code of
.jsp files or view the physical path of the
web root, which could reveal information that would be useful
in planning a subsequent attack. Furthermore, this vulnerability
could be used to request DOS files, thus causing the server
to stop responding to requests if enough DOS files are requested.
Version 6.1 Service Pack 2 and earlier versions are affected by this vulnerability unless the appropriate service packs or patches have been applied.
1/11/02
CAN 2002-0106
When WebLogic receives a request which ends with the
.jsp extension, it invokes a compiler to
process the request. By requesting a DOS device with the
.jsp extension, such as aux.jsp,
an attacker can cause WebLogic to invoke a thread which
never finishes. By initiating a number of these types of
threads, the attacker could cause WebLogic to stop responding
to web requests.
WebLogic 6.1 prior to service pack 2 and possibly earlier versions are vulnerable to this attack.
The WebLogic server uses a different section of code to process requests beginning with ".." than it uses for normal requests. A buffer overflow in this section of the code could be used by a remote attacker to create a race condition which could lead to a server crash or the execution of arbitrary code.
BEA WebLogic Server 5.1.0 prior to Service Pack 7 is affected by this vulnerability.
CVE 2000-0682
CVE 2000-0683
This vulnerability could allow a remote attacker to
view the source code of any file within the web document
tree. Depending upon the configuration, it is possible
to exploit this vulnerability using the File Servlet
or the Server Side Include Servlet. If the example
weblogic.properties file is used, these
servlets can be accessed through the ConsoleHelp alias
and the virtual name *.shtml, respectively. Source code from some scripts could include sensitive
information such as passwords or directory paths which could
be used in a subsequent attack against the server.
BEA WebLogic Enterprise 5.1.x and BEA WebLogic Server and Express 4.5.x and 5.1.x are vulnerable in certain configurations, including the configuration resulting from the example weblogic.properties file.
CVE 2000-0684
CVE 2000-0685
This vulnerability could allow a misconfigured or
malicious application to write files to the web document
root. Executable code could be inserted into JSP or
jHTML pages and would be executed the next time the
page was retrieved by a client. BEA WebLogic Enterprise
5.1.x, and all versions of WebLogic Server and Express
are vulnerable.
For more information on the resource allocation exception password disclosure, see BEA Security Advisory 03-24.
For more information on the denial of service with the Performance Pack enabled, see BEA Security Advisory 02-19.00 and VulnWatch.
For more information on the flaw in URL parsing, see Bugtraq.
For more information on the DOS device request denial of service, see VulnWatch.
For more information on the dot-dot buffer overflow, see Defcom Labs Advisory 2000-04.
For more information on the source code exposure vulnerability, see Foundstone Advisory 072800-9-BEA.
For more information on the file write vulnerability, see BEA Security Advisory 00-04.00.