Software Engineering Institute

BEA Systems describes WebLogic Server as "an industrial-strength application infrastructure for developing, integrating, securing, and managing distributed Java applications." WebLogic Server supplies a Configuration Wizard for UNIX and Windows systems that allows an administrator to use configuration templates to simplify the setup process. There is a vulnerability in the config.sh (UNIX) and config.cmd (Windows) configuration tools that could result in the administrative username and password being stored in the clear text log file produced by these tools.

The BEA Security Advisory states that the following versions of WebLogic Server and Express are affected by this vulnerability:

• WebLogic Server and WebLogic Express 8.1 released through Service Pack 2, on all platforms

A user with privileges to access log files produced by the configuration tools could obtain the administrative username and password.

Upgrade
WebLogic Server and WebLogic Express version 8.1

1. Upgrade to WebLogic Server and WebLogic Express version 8.1 Service Pack 2.
2. Install the patch from: ftp://ftpna.beasys.com/pub/releases/security/CR135189_81sp2patch.jar

WebLogic Server version 8.1 Service Pack 3 will include the functionality in this patch.