Skip navigation.
Arch2Arch Tab BEA.com
 GET INVOLVED
 New to Java?
 Blogs
 CodeShare
 Newsgroups
 Wiki
 User Groups
 Submit Content/Code
 PRODUCT CENTERS
 BEA AquaLogic
 AquaLogic BPM Suite
 AquaLogic Service Bus
 WebLogic Platform
 WebLogic Server
 BEA Workshop
 WebLogic Portal
 WebLogic Integration
 BEA JRockit
 WebLogic Event Server
 BEA WLCP
 More Product Centers
 TECHNOLOGY CENTERS
 Controls
 Web Services
 Eclipse
 XML
 EJB
 Persistence
 JMS
 Vertical Markets
 Dev Toolbox
 BROWSE BY ROLE
 Platform Admin
 RESOURCES
 Dev2Dev Media Center
 Article Index
 Open Source
 Security Advisories
 Utilities & Tools
 Events Calendar
 About Dev2Dev
 SUBSCRIBE
 Dev2Dev Newsletter
 RSS/XML Feeds

Security Advisories and Notifications

Security Advisory: (BEA03-30.00)

From: BEA Systems Inc.

Minor Subject: Patch available to prevent clear-text passwords

Product(s) Affected: BEA WebLogic Server and Express

Threat level: Low

Severity: Moderate

Recently a problem was identified that could potentially cause a security vulnerability in certain versions of WebLogic Server and Express. A patch is available to correct this problem (see section II below). BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following action:

      I. Read the following advisory.

      II. Apply the suggested action.

      III. If you know of any additional users interested in future security advisories, please forward them the registration instructions below.


I. ADVISORY

This vulnerability concerns a number of clear-text passwords that have been identified in BEA WebLogic Server and WebLogic Express. The following passwords were identified:

  • JDBCConnectionPoolRuntimeMBean password was displayed in clear-text via weblogic.Admin. The password field was properly restricted. The major concern here was a passerby seeing the password on the screen of a privileged user.
  • The default CredentialMapper stored the passwords in clear-text on disk. A knowledgeable attacker who had access to the disk files and knew how to extract passwords out of the binary data file could exploit this.
  • Several secrets internal to WebLogic Server and WebLogic Express concerning the encryption of passwords were potentially accessible to non-privileged users. An attacker who obtained these passwords, had extensive knowledge about the internals of WebLogic's encryption algorithms and had access to files that contained the encrypted passwords could have stolen the passwords. This includes passwords stored in config.xml, filerealm.properties and weblogic-rar.xml.
The following versions of WebLogic Server and Express are affected by this vulnerability
  • WebLogic Server and Express 7.0 and 7.0.0.1, on all platforms

II. SUGGESTED ACTION

BEA strongly recommends the following course of actions:

Apply the appropriate Service Pack: BEA strongly suggests that customers apply the remedies recommended in all our security advisories. BEA also urges customers to apply every Service Pack as they are released. Service Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service Packs. Service Packs and information about them can be found at: http://commerce.beasys.com/downloads/weblogic_server.jsp#wls

Note: Information about securing BEA WebLogic Server and Express can be found in BEA e-docs on Programming WebLogic Security. Specific lockdown documentation is provided in the deployment chapter at http://e-docs.bea.com/wls/docs70/lockdown/index.html. We strongly encourage you to review this documentation so that you can be assured that your server deployment is securely configured.


III. FUTURE SECURITY COMMUNICATIONS

As a policy, if there are any security-related issues with any BEA product, BEA would distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

BEA has established a permission-based emailing list specifically targeted for product security advisories. As a policy, if a user has opted-in to our emailing list and there are any security issues with the BEA product(s) he/she is using, BEA will distribute an advisory and instructions via email with the appropriate course of action.

You have received this message because you have opted in for BEA WebLogic Security Advisories. Thank you for registering with us.

IF THERE ARE ADDITIONAL USERS RESPONSIBLE FOR SECURITY-RELATED ISSUES AT YOUR SITE, PLEASE DIRECT THEM TO REGISTER AT THE FOLLOWING URL:
http://contact2.bea.com/bea/www/advisories/login.jsp


IV. REPORTING SECURITY ISSUES

Security issues can be reported to BEA by sending email to secalert@bea.com or by following the directions at http://dev2dev.bea.com/advisoriesnotifications/. All reports of security issues will be promptly reviewed and all necessary actions taken to ensure the continued security of all customer assets.

If you have any questions or care to verify the authenticity of this advisory, please contact BEA Technical Support at support@bea.com.

Thank you,

BEA Systems, Inc.