WebLogic Vulnerabilities

Impact

Vulnerabilities in the WebLogic web server could allow an attacker to execute arbitrary code or to read the source code of any file within the web document root.

Background

BEA WebLogic servers are web servers designed for e-commerce applications.

The Problems

There are two security problems in the BEA WebLogic line of web servers.

The first vulnerability could allow a remote attacker to view the source code of any file within the web document tree. Depending upon the configuration, it is possible to exploit this vulnerability using the File Servlet or the Server Side Include Servlet. If the example weblogic.properties file is used, these servlets can be accessed through the ConsoleHelp alias and the virtual name *.shtml, respectively. Source code from some scripts could include sensitive information such as passwords or directory paths which could be used in a subsequent attack against the server.

BEA WebLogic Enterprise 5.1.x and BEA WebLogic Server and Express 4.5.x and 5.1.x are vulnerable in certain configurations, including the configuration resulting from the example weblogic.properties file.

The second vulnerability could allow a misconfigured or malicious application to write files to the web document root. Executable code could be inserted into JSP or jHTML pages and would be executed the next time the page was retrieved by a client. BEA WebLogic Enterprise 5.1.x, and all versions of WebLogic Server and Express are vulnerable.

Resolutions

For the first vulnerability, apply service pack 5 for WebLogic 5.1.0 if it is available. Service packs are available from BEA.

Alternatively, apply the Show Code patch. Contact support@bea.com to obtain the patch. After the patch has been applied, make sure the following changes have taken place in weblogic.properties:

weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file

should be changed to:

weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html

The resolution for the second vulnerability is to use proper access controls on the web document root, and to remove any unnecessary applications. See BEA Security Advisory 00-04.00 for specific fix information.

Where can I read more about this?

For more information on the first vulnerability, see BEA Security Advisory 00-03.00.

For more information on the second vulnerability, see BEA Security Advisory 00-04.00.