Vulnerability Tutorial - WebLogic vulnerabilities
  Updated: 04/17/14     (RED light)  
Impact
Vulnerabilities in the WebLogic web server could allow an attacker to execute arbitrary code, crash the server, cause the web service to stop responding, or read the source code of any file within the web document root.
Background
BEA WebLogic servers are web servers designed for e-commerce applications.
The Problem

WebLogic Server WLS Security Vulnerability

04/17/14
CVE 2014-2470
Oracle WebLogic Server versions 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 is prone to a vulnerability, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability exists due to an unspecified error in the "WLS Security" sub-component. The vulnerability can be exploited to take over the server and may subsequently execute arbitrary code.

Web Container Java Server Faces Information Disclosure Vulnerability

10/21/13
CVE 2013-3827
Oracle WebLogic Server versions 10.3.6.0 and 12.1.1.0 are prone to a vulnerability, which can be exploited to disclose potentially sensitive information.

Cross-Site Scripting and Manipulation of Data Vulnerabilities

04/22/13
CVE 2013-1504 CVE 2013-2390
Oracle WebLogic versions 10.0.2, 10.3.5, 10.3.6 and 12.1.1 are prone to two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and manipulation certain data.

  • Input passed via the "SNMPMonitoringTablePortlet[SNMPMonitoringTable]sortby" parameter to console/console.portal is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
  • An error within the "WebLogic Console" sub-component can be exploited to manipulate certain data.

OpenSAML Security Bypass Vulnerability

10/19/12
CVE 2011-1411
Oracle WebLogic Server versions 9.2.4.0, 10.0.2.0, 10.3.5.0, 10.3.6.0, and 12.1.1.0 are prone to a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

Web Form Hash Collision Denial of Service Vulnerability

02/08/12
CVE 2011-5035
Oracle WebLogic Server versions 9.2.4, 10.0.2, 10.3.3, 10.3.4, 10.3.5, and 12.1.1 are prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error within a hash generation function when hashing form posts and updating a hash table. This can be exploited to cause a hash collision resulting in high CPU consumption via a specially crafted form sent in a HTTP POST request.

Cross-Site Scripting and Denial of Service Vulnerabilities

01/27/12
CVE 2011-3566
CVE 2012-0077
Oracle WebLogic Server versions 9.2.4, 10.0.2, 10.3.3, 10.3.4, and 10.3.5 are prone to two vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks and cause a DoS (Denial of Service).

  • An unspecified error in the Web Container component can be exploited to cause a crash.
  • Certain unspecified input passed to the WLS-Console management interface is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Information Disclosure and Privilege Escalation Vulnerabilities

10/27/11
CVE 2011-2318
CVE 2011-2319
CVE 2011-2320
Weblogic Server 9.2.4, 10.0.2, and 11gR1 (10.3.3, 10.3.4, 10.3.5) are prone to multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges and by malicious people to disclose potentially sensitive information.

OpenSSL Plaintext Injection Vulnerability

04/28/11
CVE 2009-3555
Weblogic Server 8.1.6, 9.2.3, 9.2.4, 10.0.2, and 11gR1 (10.3.2, 10.3.3, 10.3.4) are prone to a vulnerability, which can be exploited by malicious people to manipulate certain data.

WebLogic Server Node Manager Command Execution

07/09/10
CVE 2004-2320
Weblogic Server supports the HTTP TRACE method which may allow an attacker to access session information by leveraging a Cross Site Tracing (XST) attack.

Multiple Remote Vulnerabilities in WebLogic Server

02/02/10
CVE 2010-0068
CVE 2010-0069
CVE 2010-0074
CVE 2010-0078
Oracle Weblogic Server is exposed to remote issues that can be exploited over the "HTTP" protocol. For an exploit to succeed, the attacker must have "Web Services" or "Servlet Container Package" privileges.

WebLogic Server Node Manager Command Execution

02/01/10
WebLogic Server is prone to a remote command-execution vulnerability because the software fails to restrict access to sensitive commands. Successful attacks can compromise the affected software and possibly the computer.

console-help.portal Cross-Site Scripting

07/24/09
CVE 2009-1975
There exists a cross-site scripting vulnerability in BEA Weblogic Server. The vulnerability is due to an input validation error in certain console-help.portal pages that allow attackers to inject arbitrary HTML and JavaScript code that would be executed in a user's web browser. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary HTML or script code on the client system.

WebLogic Server Plug-ins Certificate Buffer Overflow

05/06/09
CVE 2009-1016
There exists a buffer overflow vulnerability in BEA WebLogic Server Plugins. The vulnerability is due to a boundary error while parsing SSL certificates. A remote unauthenticated attacker can exploit this vulnerability by sending a crafted certificate to the target host.

WebLogic Server Apache Connector Heap Buffer Overflow

01/15/09
CVE 2008-5457
There exists a buffer overflow vulnerability in BEA WebLogic Server Apache Connector. The vulnerability is due to a boundary error in the Apache connector. A remote unauthenticated attacker can exploit this vulnerability by sending crafted requests to the target host. Successful exploitation would be a denial of service condition of Apache HTTP services on the target host.

WebLogic Server Apache Connector Buffer Overflow

10/28/08
CVE 2008-4008
There exists a buffer overflow vulnerability in BEA WebLogic Server Apache Connector. The vulnerability is due to a boundary error in the Apache connector. A remote unauthenticated attacker can exploit this vulnerability by sending crafted requests to the target host. Successful exploitation would allow the attacker to execute arbitrary code on the vulnerable system with privileges of the running process, normally System.

WebLogic Server Apache Connector HTTP Version String Buffer Overflow

07/24/08
CVE 2008-3257
There exists a string buffer overflow vulnerability in BEA WebLogic Server Apache Connector. The vulnerability is due to a boundary error in the Apache connector. A remote unauthenticated attacker can exploit this vulnerability by sending crafted requests to the target host. Successful exploitation would allow the attacker to execute arbitrary code on the vulnerable system with privileges of the running process.

Multiple Vulnerabilities

09/21/04
WebLogic 8.1 Service Pack 3 fixes multiple vulnerabilities:

  • Denial of service or data disclosure by unbinding certain objects in the JNDI tree
  • Incomplete protection of files cross-mounted from operating systems which do not support case-sensitive file names (affects non-Windows platforms only)
  • Some WebLogic.Admin commands can be executed without a username and password
  • A deactivated user can still log in when using LDAP for authentication
  • Flaw in enforcement of security roles and policies when an internal error occurs in a security provider during deployment
  • Password disclosure in the WebLogic Administrative Console when the WebLogic server is booted (affects Linux only)
  • Disclosure of WebLogic version information in HTTP headers
  • Difficulty in avoiding clear-text passwords in scripts which call WebLogic command-line utilities

SSL Denial of Service

06/21/04
CVE 2004-2424
If WebLogic is hosting SSL-enabled applications, it is possible to send a request which causes the server to fail to close the connection. An attacker could cause a denial of service by sending a large number of such requests, causing the server to run out of sockets and stop accepting new connections. WebLogic Server and Express 8.1 through service pack 2 are affected by this vulnerability.

Security Role Assignment Vulnerabilities

05/21/04
CVE 2004-0470
CVE 2004-0471
There are two vulnerabilities related to security role assignments. Firstly, when a site is configured such that only certain users in the Admin or Operator security roles are allowed to start and stop servers, these restrictions are not enforced, potentially allowing an unauthorized Admin or Operator to shut down web services. Secondly, when a weblogic.xml file that contains <security-role-assignment> tags that do not contain any <principal-name> tags is edited through WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, the <security-role-assignment> tags are removed, and defaults are used, potentially granting unintended access to some users. WebLogic 8.1 through service pack 2 and 7.0 through service pack 5 are affected by these vulnerabilities.

Custom Trust Manager vulnerability

04/19/04
CVE 2004-1756
The WebLogic custom trust manager is affected by a vulnerability. If a certificate chain is validated and accepted but the custom trust manager rejects the chain, the certificate chain may still be accepted. This could allow an attacker using two-way SSL to impersonate a user. When outbound SSL is being used, an attacker can impersonate a remote server.

WebLogic Server and Express 8.1 through service pack 2, and 7.0 through service pack 4, are affected by this vulnerability on sites using the custom trust manager.

WebLogic authentication provider privilege inheritance flaw

04/19/04
CVE 2004-0715
If a system administrator creates two groups and makes the first a member of the second, and then deletes the second group and later creates it again, then the second group will still inherit the privileges of the first group, even if it was never granted those privileges the second time. If the first group has administrative privileges, this could lead to unauthorized privilege elevation.

WebLogic Server and Express 8.1 through service pack 2, and 7.0 through service pack 4, are affected by this vulnerability on sites using the WebLogic Authentication provider as the default authentication provider in a security realm.

Multiple Potential Problems

04/26/04
CVE 2004-0711
CVE 2004-0712
CVE 2004-0713
Three unrelated potential problems could lead to information disclosure, privilege elevation, or denial of service, depending upon the WebLogic configuration and coding practices in deployed applications. The first problem could allow attackers to view directories when illegal URL patterns such as /directory* are used in applications. The second problem could erroneously allow a user to remove a stateful EJB from a remote view if an application uses the remove method with a remote view. The third problem arises when using the config.sh or config.cmd tools. These tools produce log files containing the administrative username and password in clear text, which could allow a local user to gain administrative privileges.

WebLogic Server and Express 8.1 through Service Pack 2, 7.0 through Service Pack 4, and 6.1 through Service Pack 6 are affected by one or more of these vulnerabilities.

Unprotected Internal Servlet

03/20/03
CVE 2003-0151
WebLogic Server contains an internal, undocumented servlet which it uses for its file upload function. This servlet is publicly available and does not require authentication, so a remote attacker could bypass access restrictions for uploads by accessing the servlet directly. By uploading malicious applications in this manner, it could be possible for an attacker to execute commands with the permissions of the WebLogic server. Furthermore, the servlet offers additional operations which allow downloads of arbitrary files, and retrieval of WebLogic users, groups, and hashed passwords. WebLogic 6.0, 6.1, and 7.0 on all platforms are affected by this vulnerability.

ResourceAllocationException password disclosure

01/14/03
CVE 2003-1093
In some circumstances, it may be possible for a remote attacker to view a user's password, which could then be used to gain access to the server. This problem can only be exploited if an application on the server is using a bridge to route messages to a JMS target domain, and an error occurs resulting in a resource allocation exception. The password is included in the exception output.

WebLogic 6.1 prior to Service Pack 4, 7.0 prior to Service Pack 2, and 7.0.0.1 are affected.

Denial of Service with Performance Pack enabled

07/12/02
CVE 2002-1030
Due to a race condition in the WebLogic server code, a remote attacker could crash the WebLogic server if the Performance Pack is enabled, as is the case in a default installation. WebLogic version 5.1 prior to Service Pack 13, version 6.0 prior to Service Pack 2 with Rolling Pack 4, version 6.1 prior to Service Pack 4, and version 7.0 prior to Service Pack 1 on Windows platforms are affected by this vulnerability if unpatched.

URL parsing flaw

05/01/02
A flaw in the processing of HTTP requests could allow a remote attacker to bypass normal restrictions by submitting a specially crafted URL containing a null character. This could allow the attacker to view the source code of .jsp files or view the physical path of the web root, which could reveal information that would be useful in planning a subsequent attack. Furthermore, this vulnerability could be used to request DOS files, thus causing the server to stop responding to requests if enough DOS files are requested.

Version 6.1 Service Pack 2 and earlier versions are affected by this vulnerability unless the appropriate service packs or patches have been applied.

Multiple cross-site scripting vulnerabilities

09/15/03
CVE 2003-0733
A cross-site scripting (XSS) vulnerability requires three conditions: a vulnerable Web site, a valid user of the web site, and an attacker who tricks the user (usually via e-mail or misleading links on web pages) into executing a URL which exploits the XSS vulnerability on the Web site. This allows the attacker to run arbitrary client-side (i.e., browser) scripts that execute with the permissions of the valid user. Typically this is used to steal session cookies, thereby allowing the attacker to impersonate the valid user on the Web site.

Some WebLogic versions contain multiple cross-site scripting (XSS) vulnerabilities which are one of two types:

  • A vulnerability in the Servlet container that can be exploited when the browser is being sent a forward instruction with a dynamically calculated URL.
  • A series of vulnerabilities in the WebLogic Server console application. These are only of risk to users who have special administrative privileges (i.e., users in the Admin, Monitor, Deployer, and Operator roles).

Unpatched WebLogic Server and Express Version 7.0 prior to Service Pack 4, Version 6.1 prior to Service Pack 6, and Version 5.1 prior to Service Pack 14 are vulnerable.

BEA WebLogic Admin Console cross-site scripting

06/03/05
CVE 2005-1747
The WebLogic Admin Console program is vulnerable to cross-site scripting. The Java Server Page (JSP) LoginForm.jsp allows unsanitized CGI variables to be set, thereby allowing arbitrary script code to be injected into the login page. If successful, the attacker can gain the target user's credentials, such as the username, password and session cookie.

WebLogic Server and Express 8.1 SP4 and earlier, and 7.0 SP6 and earlier are vulnerable.

Operator gaining Admin privileges

09/04/03
CVE 2003-0640
This vulnerability can occur when there are users in the Operator role who are not also in the Admin role and the NodeManager is used to start servers. The users in the Operator role unintentionally have read and write access to the username and password used for remote starting each server. If these usernames and passwords belong to Admin users, the Operator can discover them and use them to impersonate Admin users.

WebLogic Server and Express Version 8.1 prior to service Pack 1, and 7.0 and 7.0.0.1 prior to Service Pack 3 may be vulnerable.

DOS device request denial of service

01/11/02
CVE 2002-0106
When WebLogic receives a request which ends with the .jsp extension, it invokes a compiler to process the request. By requesting a DOS device with the .jsp extension, such as aux.jsp, an attacker can cause WebLogic to invoke a thread which never finishes. By initiating a number of these types of threads, the attacker could cause WebLogic to stop responding to web requests.

WebLogic 6.1 prior to service pack 2 and possibly earlier versions are vulnerable to this attack.

dot-dot buffer overflow

The WebLogic server uses a different section of code to process requests beginning with ".." than it uses for normal requests. A buffer overflow in this section of the code could be used by a remote attacker to create a race condition which could lead to a server crash or the execution of arbitrary code.

BEA WebLogic Server 5.1.0 prior to Service Pack 7 is affected by this vulnerability.

Source code exposure

CVE 2000-0682
CVE 2000-0683
This vulnerability could allow a remote attacker to view the source code of any file within the web document tree. Depending upon the configuration, it is possible to exploit this vulnerability using the File Servlet or the Server Side Include Servlet. If the example weblogic.properties file is used, these servlets can be accessed through the ConsoleHelp alias and the virtual name *.shtml, respectively. Source code from some scripts could include sensitive information such as passwords or directory paths which could be used in a subsequent attack against the server.

BEA WebLogic Enterprise 5.1.x and BEA WebLogic Server and Express 4.5.x and 5.1.x are vulnerable in certain configurations, including the configuration resulting from the example weblogic.properties file.

Execution of arbitrary JSP/jHTML commands

CVE 2000-0684
CVE 2000-0685
This vulnerability could allow a misconfigured or malicious application to write files to the web document root. Executable code could be inserted into JSP or jHTML pages and would be executed the next time the page was retrieved by a client. BEA WebLogic Enterprise 5.1.x, and all versions of WebLogic Server and Express are vulnerable.

Resolution
For the WebLogic Server WLS security vulnerability, apply the April 2014 critical patch update.

For the Web Container Java Server Faces Information Disclosure vulnerability, apply the October 2013 critical patch update.

For the Cross-Site Scripting and Manipulation of Data vulnerabilities, apply the April 2013 critical patch update.

For the OpenSAML Security Bypass vulnerability, apply the October 2012 critical patch update.

For the Web Form Hash Collision Denial of Service vulnerability, patch as designated in the Oracle Security Alert for CVE-2011-5035.

For the Cross-Site Scripting and Denial of Service vulnerabilities, apply the January 2012 critical patch update.

For the Information Disclosure and Privilege Escalation vulnerabilities, apply the October 2011 critical patch update.

For the OpenSSL Plaintext Injection vulnerability, apply the April 2011 critical patch update.

For the multiple remote vulnerabilities in the WebLogic Server, apply the January 2010 critical patch update.

For the WebLogic Server Node Manager Command Execution vulnerability, upgrade WebLogic Server to a version higher than 10.3.2.

For the console-help.portal Cross-Site Scripting vulnerability, apply the July 2009 critical patch update.

For the WebLogic Server Plug-ins Certificate Buffer Overflow vulnerability, apply the April 2009 critical patch update. Upgrade WebLogic Server to a version higher than 10.0 Maintenance Pack 1 when available, or upgrade to version 10.0 Maintenance Pack 1 and apply the workaround described in the Security Advisory.

For the WebLogic Server Apache Connector Heap Buffer Overflow vulnerability, upgrade WebLogic Server to a version higher than 10.3, or apply the workaround described in the Security Advisory.

For the WebLogic Server Apache Connector Buffer Overflow vulnerability, upgrade WebLogic Server to a version higher than 10.3, or apply the patch.

Verify that all <security-role-assignment> tags are still in the weblogic.xml file.

More Information
The WebLogic Server WLS security vulnerability was reported in Secunia Advisory SA57839.

The Web Container Java Server Faces Information Disclosure vulnerability was reported in Secunia Advisory SA55349.

The Cross-Site Scripting and Manipulation of Data vulnerabilities were reported in Secunia Advisory SA51501.

The OpenSAML Security Bypass vulnerability was reported in Secunia Advisory SA50994.

The Web Form Hash Collision Denial of Service vulnerability was reported in Secunia Advisory SA47819.

The Cross-Site Scripting and Denial of Service vulnerabilities were reported in Secunia Advisory SA47618.

The Information Disclosure and Privilege Escalation vulnerabilities were reported in Secunia Advisory SA46520.

The OpenSSL Plaintext Injection vulnerability was reported in Secunia Advisory SA44292.

The WebLogic Server HTTP TRACE vulnerability was reported in Bugtraq ID 9506.

The multiple remote vulnerabilities in the WebLogic Server were reported in Bugtraq ID 37737, Bugtraq ID 37748, Bugtraq ID 37741 and Bugtraq ID 37751.

The WebLogic Server Node Manager Command Execution vulnerability was reported in Bugtraq ID 37926.

The console-help.portal Cross-Site Scripting vulnerability was reported in Bugtraq ID 35673.

The WebLogic Server Plug-ins Certificate Buffer Overflow vulnerability was reported in Bugtraq ID 34461.

The WebLogic Server Apache Connector Heap Buffer Overflow vulnerability was reported in Secunia Advisory SA33526.

The WebLogic Server Apache Connector Buffer Overflow vulnerability was reported in Secunia Advisory SA32301.

The WebLogic Server Apache Connector HTTP Version String Buffer Overflow vulnerability was reported in Secunia Advisory SA31146.

The vulnerabilities fixed in WebLogic 8.1 Service Pack 3 were reported in BEA Security Advisories 04-65.00, 04-66.00, 04-67.00, 04-68.00, 04-69.00, 04-70.00, 04-71.00, and 04-72.00.

The SSL denial of service was reported in BEA Security Advisory 04-61.

The security role vulnerabilities were reported in BEA Security Advisory 04-59 and BEA Security Advisory 04-60.

For more information on the custom trust manager vulnerability, see BEA Security Advisory 04-54.

For more information on the WebLogic authentication provider privilege inheritance vulnerability, see BEA Security Advisory 04-52.

For more information on the three potential problems in WebLogic, see BEA Security Advisories 04-56.00, 04-57.00, and 04-58.00.

For more information on the unprotected internal servlet, see BEA Security Advisory 03-28 and S21SEC-011.

For more information on the resource allocation exception password disclosure, see BEA Security Advisory 03-24.

See BEA Security Advisory 03-36 for more information on the cross-site scripting vulnerabilities.

See BEA Security Advisory 05-80 for more information on the Admin console cross-site scripting vulnerability.

See BEA Security Advisory 03-33 for more information on the Operator gaining Admin privileges vulnerability.

For more information on the denial of service with the Performance Pack enabled, see BEA Security Advisory 02-19.00 and VulnWatch.

For more information on the flaw in URL parsing, see Bugtraq archive 270239.

For more information on the DOS device request denial of service, see VulnWatch.

For more information on the dot-dot buffer overflow, see Defcom Labs Advisory 2000-04.

For more information on the source code exposure vulnerability, see Foundstone Advisory 072800-9-BEA.

For more information on the file write vulnerability, see BEA Security Advisory 00-04.00.