BEA Tuxedo Administration vulnerability requires fix

Enterprises using BEA Tuxedo Administration Console are warned to patch a security flaw or be subject to denial-of-service, leak information or cross-site scripting.

Thousands of customers in Fortune 500 enterprises are urged to patch or upgrade to remedy a security issue in BEA Tuxedo Administration Console. A problem with processing input arguments can allow denial of service, disclosure of file system information or cross-site scripting.

BEA Tuxedo provides middleware for building scalable enterprise applications in heterogeneous, distributed environments. The BEA Tuxedo administration console is a CGI application for remote administration of Tuxedo functions.

The console accepts input arguments, including the INIFILE argument containing a path to an initialization file. Corsaire Advisories has discovered that these arguments aren't tested for formatting and validity issues, such as pathnames outside the Web root, device names instead of filenames or HTML constructs. By manipulating these arguments, a remote user can: cause denial of service (if the server thread attempts to access devices instead of files); determine the existence of files on different logical file systems and network drives (by using a variety of pathnames); or execute code (by using a "filename" that resolves to JavaScript).

Vulnerable versions include BEA Tuxedo 8.1 and prior. A patch is available for Tuxedo 8.1, and previous versions should be upgraded to 8.1.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

This Content Component encountered an error

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close