漏洞信息详情
BEA WebLogic Server/Express远程拒绝服务和信息泄露漏洞
- CNNVD编号:CNNVD-200312-426
- 危害等级: 低危
- CVE编号: CVE-2003-1290
- 漏洞类型: 访问验证错误
- 发布时间: 2003-11-13
- 威胁类型: 远程
- 更新时间: 2006-01-23
- 厂 商: bea
- 漏洞来源: BEA SECURITY ADVIS...
漏洞简介
BEA Systems WebLogic包含多种应用系统集成方案,包括Server/Express/Integration等。 BEA Systems WebLogic Server和Express包含多个问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击者或者获得敏感信息。 具体问题如下: 1、通过WebLogic Server插件发送不正确格式URL给WEbLogic Server或Express,不正确的URL会导致代理插件崩溃,使得WEB站点不能访问。如果不使用WebLogic服务代理插件的站点不受此漏洞影响。 2、当通过SSL Over T3访问Weblogic服务程序但在URL中指定的是非安全服务端口就会触发此漏洞,如当URL\"t3s://myhost:7001\"使用\"t3s://myhost:7002\"代替时,虽然使用了\"t3s\"连接但还会使用非SSL连接。当尝试在非安全端口上使用SSL会导致应用程序异常而产生拒绝服务。 3、当使用外部JMS提供器(foreign JMS provider),JMS提供器weblogic.management.configuration.ForeignJMSConnectionFactoryMBean密码字段在控制台上会以明文方式显示,并存储在config.xml文件中时也以明文方式。这可导致密码信息泄露。 4、当部分错误数据发送给节点管理器监听的端口,可导致节点管理器崩溃和不能恢复。在正常操作时不会发生,只有当不正规数据发送给端口时才会产生拒绝服务,如使用NMAP进行扫描。 5、默认情况下,站点的MBeanHome可以被匿名用户从JNDI中获得,从MBeanHome中,许多MBeans配置可以被获得和检查。虽然这不属于已知安全漏洞的范畴,BEA Systems认为考虑到最佳安全策略,需要拒绝任何攻击者访问过多的配置数据。
漏洞公告
临时解决方法: 如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* 限制用户对WEB管理接口的访问。 厂商补丁: BEA Systems ----------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
BEA Systems WebLogic Express 6.1 SP 5:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Patch CR125829_610sp5.jar
ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar
BEA Systems Weblogic Server 6.1 SP 5:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Patch CR125829_610sp5.jar
ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar
BEA Systems WebLogic Express 6.1 SP 4:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 4:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 7.0 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 7.0 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 7.0 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/r
参考网址
来源: BID 名称: 9034 链接:http://www.securityfocus.com/bid/9034 来源: SECUNIA 名称: 10218 链接:http://secunia.com/advisories/10218 来源: XF 名称: weblogic-mbeanhome-obtain-information(13752) 链接:http://xforce.iss.net/xforce/xfdb/13752 来源: BID 名称: 16215 链接:http://www.securityfocus.com/bid/16215 来源: OSVDB 名称: 3064 链接:http://www.osvdb.org/3064 来源: SECUNIA 名称: 18396 链接:http://secunia.com/advisories/18396 来源: BEA 名称: BEA03-43.00 链接:http://dev2dev.bea.com/pub/advisory/162 来源:NSFOCUS 名称:5661 链接:http://www.nsfocus.net/vulndb/5661
受影响实体
- Bea Weblogic_server:8.1:Sp4
- Bea Weblogic_server:8.1:Sp4:Express
- Bea Weblogic_server:8.1:Sp4:Win32
- Bea Weblogic_server:8.1:Sp3:Win32
- Bea Weblogic_server:8.1:Sp3
补丁
暂无
评论