search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

BEA WebLogic Server "ResourceAllocationException" exception may disclose user password

Vulnerability Note VU#331937

Original Release Date: 2003-01-15 | Last Revised: 2003-01-20

Overview

A vulnerability in BEA's WebLogic Server may disclose sensitive information.

Description

From the BEA WebLogic Server 7.0 Overview:

BEA WebLogic Server is a fully featured, standards-based application server providing the foundation on which an enterprise can build its applications.
BEA released a security advisory (BEA03-24.00) detailing an information disclosure vulnerability. Quoting from BEA03-24.00:
This vulnerability concerns the display of the system password.  If an application is using a bridge to route messages to a JMS target domain, and either that domain is not available, or a configuration problem prevents the obtaining of an initial context for the JMS target domain, WebLogic Server throws a ResourceAllocationException that may include the user’s password.

Impact

A remote attacker may be able to gain access to the system password.

Solution

Apply a patch.

Vendor Information

331937
 
Expand all

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.securityfocus.com/bid/6586

Acknowledgements

Our thanks to BEA Systems for providing BEA03-24.00.

This document was written by Ian A Finlay.

Other Information

CVE IDs: None
Severity Metric: 17.28
Date Public: 2003-01-11
Date First Published: 2003-01-15
Date Last Updated: 2003-01-20 13:13 UTC
Document Revision: 5

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis