search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

BEA WebLogic Server "ResourceAllocationException" exception may disclose user password

Vulnerability Note VU#331937

Original Release Date: 2003-01-15 | Last Revised: 2003-01-20

Overview

A vulnerability in BEA's WebLogic Server may disclose sensitive information.

Description

From the BEA WebLogic Server 7.0 Overview:

BEA WebLogic Server is a fully featured, standards-based application server providing the foundation on which an enterprise can build its applications.
BEA released a security advisory (BEA03-24.00) detailing an information disclosure vulnerability. Quoting from BEA03-24.00:
This vulnerability concerns the display of the system password.  If an application is using a bridge to route messages to a JMS target domain, and either that domain is not available, or a configuration problem prevents the obtaining of an initial context for the JMS target domain, WebLogic Server throws a ResourceAllocationException that may include the user’s password.

Impact

A remote attacker may be able to gain access to the system password.

Solution

Apply a patch.

Vendor Information

331937
 
Expand all

BEA Systems Inc. Affected

Updated:  January 15, 2003

Status

Affected

Vendor Statement

See http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA03-24.htm

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.securityfocus.com/bid/6586

Acknowledgements

Our thanks to BEA Systems for providing BEA03-24.00.

This document was written by Ian A Finlay.

Other Information

CVE IDs: None
Severity Metric: 17.28
Date Public: 2003-01-11
Date First Published: 2003-01-15
Date Last Updated: 2003-01-20 13:13 UTC
Document Revision: 5

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis