News Stay informed about the latest enterprise technology news and product updates.

BEA WebLogic vulnerable to remote attacks

BEA Systems warns of a vulnerability that exists in its WebLogic Server and WebLogic Express and which could lead to a denial of service.

BEA Systems Inc. recommends upgrading the Sun JDK (Java Development Kit) in its WebLogic Server and WebLogic Express...

to patch a vulnerability that could permit remote attacks, causing a denial of service.

San Jose, Calif.-based BEA sells application infrastructure software. The company warns in an advisory that an XML-parsing operations defect in the Java Media Framework (JMF) of the Sun Java Virtual Machine (JVM) renders the server vulnerable to certain malformed XML.

Since the server handles incoming traffic, it's possible for a remote attacker to crash the server and cause a denial of service.

The vulnerability occurs in the following products: WebLogic Server and WebLogic Express version 5.1 service packs 1 to 13, version 6.1 service packs 1 to 5 and version 7.0 service packs 1 to 4. All use Sun JDKs prior to JDK 1.3.1_09.

There is no workaround. Upgrading to Sun JDK 1.3.1_09 or above will fix this vulnerability.

Administrators are advised, however, that some Java code that worked under the pre-1.3.1_09 JDKs may cause startup errors after you migrate to JDK 1.3.1_09 or a later version.

In an unrelated and less-critical issue, BEA Systems has also issued an advisory about a possible password weakness in WebLogic Server and Express 8.1 Service Pack 1. If a user enters a password when using tasks "wldeploy," "wlserver" and "wlconfig", the password is displayed on screen and recorded in the log files. The solution is to upgrade to Service Pack 2.

These are only the latest in BEA WebLogic vulnerabilities, which have included issues with cross-site scripting, user impersonation, and administrator-password disclosure, among others.


Click here for the BEA advisory.

Click here for Sun JDK upgrade.

Click here for more on the startup errors in JDK.

Click here for the Service Pack 2 download.

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.