Article

BEA WebLogic vulnerable to remote attacks

Edmund X. DeJesus, Contributor

BEA Systems Inc. recommends upgrading the Sun JDK (Java Development Kit) in its WebLogic Server and WebLogic Express to patch a vulnerability that could permit remote attacks, causing a denial of service.

San Jose, Calif.-based BEA sells application infrastructure software. The company warns in an advisory that an XML-parsing operations defect in the Java Media Framework (JMF) of the Sun Java Virtual Machine (JVM) renders the server vulnerable to certain malformed XML.

Since the server handles incoming traffic, it's possible for a remote attacker to crash the server and cause a denial of service.

The vulnerability occurs in the following products: WebLogic Server and WebLogic Express version 5.1 service packs 1 to 13, version 6.1 service packs 1 to 5 and version 7.0 service packs 1 to 4. All use Sun JDKs prior to JDK 1.3.1_09.

There is no workaround. Upgrading to Sun JDK 1.3.1_09 or above will fix this vulnerability.

Administrators are advised, however, that some Java code that worked under the pre-1.3.1_09 JDKs may cause startup errors after you migrate to JDK 1.3.1_09 or a later version.

In an unrelated and less-critical issue, BEA Systems has also issued an advisory about a possible password weakness in WebLogic Server and Express 8.1 Service Pack 1. If a user enters a password when using tasks "wldeploy," "wlserver" and "wlconfig", the password is displayed on screen and recorded in the log files. The solution is to

    Requires Free Membership to View

upgrade to Service Pack 2.

These are only the latest in BEA WebLogic vulnerabilities, which have included issues with cross-site scripting, user impersonation, and administrator-password disclosure, among others.

FOR MORE INFORMATION:

Click here for the BEA advisory.

Click here for Sun JDK upgrade.

Click here for more on the startup errors in JDK.

Click here for the Service Pack 2 download.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: