BEA Tuxedo Administration vulnerability requires fix

Edmund X. DeJesus, Information Security magazine Contributor

Thousands of customers in Fortune 500 enterprises are urged to patch or upgrade to remedy a security issue in BEA Tuxedo Administration Console. A problem with processing input arguments can allow denial of service, disclosure of file system information or cross-site scripting.

BEA Tuxedo provides middleware for building scalable enterprise applications in heterogeneous, distributed environments. The BEA Tuxedo administration console is a CGI application for remote administration of Tuxedo functions.

The console accepts input arguments, including the INIFILE argument containing a path to an initialization file. Corsaire Advisories has discovered that these arguments aren't tested for formatting and validity issues, such as pathnames outside the Web root, device names instead of filenames or HTML constructs. By manipulating these arguments, a remote user can: cause denial of service (if the server thread attempts to access devices instead of files); determine the existence of files on different logical file systems and network drives (by using a variety of pathnames); or execute code (by using a "filename" that resolves to JavaScript).

Vulnerable versions include BEA Tuxedo 8.1 and prior. A patch is available for Tuxedo 8.1, and previous versions should be upgraded to 8.1.

Requires Free Membership to View

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: