News Stay informed about the latest enterprise technology news and product updates.

BEA Tuxedo Administration vulnerability requires fix

Enterprises using BEA Tuxedo Administration Console are warned to patch a security flaw or be subject to denial-of-service, leak information or cross-site scripting.

Thousands of customers in Fortune 500 enterprises are urged to patch or upgrade to remedy a security issue in BEA...

Tuxedo Administration Console. A problem with processing input arguments can allow denial of service, disclosure of file system information or cross-site scripting.

BEA Tuxedo provides middleware for building scalable enterprise applications in heterogeneous, distributed environments. The BEA Tuxedo administration console is a CGI application for remote administration of Tuxedo functions.

The console accepts input arguments, including the INIFILE argument containing a path to an initialization file. Corsaire Advisories has discovered that these arguments aren't tested for formatting and validity issues, such as pathnames outside the Web root, device names instead of filenames or HTML constructs. By manipulating these arguments, a remote user can: cause denial of service (if the server thread attempts to access devices instead of files); determine the existence of files on different logical file systems and network drives (by using a variety of pathnames); or execute code (by using a "filename" that resolves to JavaScript).

Vulnerable versions include BEA Tuxedo 8.1 and prior. A patch is available for Tuxedo 8.1, and previous versions should be upgraded to 8.1.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.