BEA Systems Inc. recommends upgrading the Sun JDK (Java Development Kit) in its WebLogic Server and WebLogic Express...
to patch a vulnerability that could permit remote attacks, causing a denial of service.
San Jose, Calif.-based BEA sells application infrastructure software. The company warns in an advisory that an XML-parsing operations defect in the Java Media Framework (JMF) of the Sun Java Virtual Machine (JVM) renders the server vulnerable to certain malformed XML.
Since the server handles incoming traffic, it's possible for a remote attacker to crash the server and cause a denial of service.
The vulnerability occurs in the following products: WebLogic Server and WebLogic Express version 5.1 service packs 1 to 13, version 6.1 service packs 1 to 5 and version 7.0 service packs 1 to 4. All use Sun JDKs prior to JDK 1.3.1_09.
There is no workaround. Upgrading to Sun JDK 1.3.1_09 or above will fix this vulnerability.
Administrators are advised, however, that some Java code that worked under the pre-1.3.1_09 JDKs may cause startup errors after you migrate to JDK 1.3.1_09 or a later version.
In an unrelated and less-critical issue, BEA Systems has also issued an advisory about a possible password weakness in WebLogic Server and Express 8.1 Service Pack 1. If a user enters a password when using tasks "wldeploy," "wlserver" and "wlconfig", the password is displayed on screen and recorded in the log files. The solution is to upgrade to Service Pack 2.
These are only the latest in BEA WebLogic vulnerabilities, which have included issues with cross-site scripting, user impersonation, and administrator-password disclosure, among others.
FOR MORE INFORMATION:
Dig Deeper on Vulnerability Risk Assessment