BEA WebLogic vulnerable to remote attacks

BEA Systems warns of a vulnerability that exists in its WebLogic Server and WebLogic Express and which could lead to a denial of service.

BEA Systems Inc. recommends upgrading the Sun JDK (Java Development Kit) in its WebLogic Server and WebLogic Express to patch a vulnerability that could permit remote attacks, causing a denial of service.

San Jose, Calif.-based BEA sells application infrastructure software. The company warns in an advisory that an XML-parsing operations defect in the Java Media Framework (JMF) of the Sun Java Virtual Machine (JVM) renders the server vulnerable to certain malformed XML.

Since the server handles incoming traffic, it's possible for a remote attacker to crash the server and cause a denial of service.

The vulnerability occurs in the following products: WebLogic Server and WebLogic Express version 5.1 service packs 1 to 13, version 6.1 service packs 1 to 5 and version 7.0 service packs 1 to 4. All use Sun JDKs prior to JDK 1.3.1_09.

There is no workaround. Upgrading to Sun JDK 1.3.1_09 or above will fix this vulnerability.

Administrators are advised, however, that some Java code that worked under the pre-1.3.1_09 JDKs may cause startup errors after you migrate to JDK 1.3.1_09 or a later version.

In an unrelated and less-critical issue, BEA Systems has also issued an advisory about a possible password weakness in WebLogic Server and Express 8.1 Service Pack 1. If a user enters a password when using tasks "wldeploy," "wlserver" and "wlconfig", the password is displayed on screen and recorded in the log files. The solution is to upgrade to Service Pack 2.

These are only the latest in BEA WebLogic vulnerabilities, which have included issues with cross-site scripting, user impersonation, and administrator-password disclosure, among others.

FOR MORE INFORMATION:

Click here for the BEA advisory.

Click here for Sun JDK upgrade.

Click here for more on the startup errors in JDK.

Click here for the Service Pack 2 download.

This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close