Software Engineering Institute

The BEA WebLogic Server provides a feature that allows it to store user authentication information for future sessions. This product contains a vulnerability that prevents this stored information from being erased when a given web application is updated using "dynamic redeployment". As a result, users who authenticate prior to an update of a web application may be able to bypass authentication when accessing the web application after an update.

This vulnerability is particularly significant when the update to a given web application affects its authentication mechanism. The following scenario provides a possible example of the effects of this vulnerability:

• "User A" successfully authenticates to "Web Application Z"
• "Web Application Z" stores the authentication credentials for future sessions
• "Web Application Z" is updated with a new authentication policy that should prevent "User A" from gaining access
• "User A" attempts to connect to "Web Application Z"
• "Web Application Z" grants access to "User A" based upon the previously stored credentials

This vulnerability may allow remote users to bypass the authentication mechanism of a given web application.

Apply a patch
BEA Systems Inc. has published Security Advisory BEA03-27.00 to address this vulnerability. For more information, please see

http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-27.jsp