TITLE:
BEA WebLogic MBean Exposure of Configuration Information
SECUNIA ADVISORY ID:
SA18396
VERIFY ADVISORY:
http://secunia.com/advisories/18396/
CRITICAL:
Less critical
IMPACT:
Exposure of system information, Exposure of sensitive information
WHERE:
>From remote
SOFTWARE:
BEA WebLogic Express 6.x
http://secunia.com/product/1281/
BEA WebLogic Express 7.x
http://secunia.com/product/1282/
BEA WebLogic Express 8.x
http://secunia.com/product/1843/
BEA WebLogic Server 6.x
http://secunia.com/product/753/
BEA WebLogic Server 7.x
http://secunia.com/product/754/
BEA WebLogic Server 8.x
http://secunia.com/product/1360/
DESCRIPTION:
A security issue has been reported in BEA WebLogic Server and
WebLogic Express, which can be exploited by malicious people to
disclose system information and potentially sensitive information.
The problem is that the MBeanHome for a site can be retrieved
anonymously via JNDI (Java Naming and Directory Interface). This can
be exploited to disclose certain configuration MBeans containing
potentially sensitive configuration information.
Successful exploitation requires RMI (Remote Method Invocation)
access to the site and that anonymous admin lookup has not been
disabled.
The security issue has been reported in versions 6.1, 7.0, and 8.1.
Other versions may also be affected.
SOLUTION:
The vendor recommends to protect JNDI entries containing sensitive
information, disabling anonymous admin lookup (version 7.x or later),
or restricting RMI access. See the vendor advisory for more details.
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
http://dev2dev.bea.com/pub/advisory/162
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.