In association with heise online

29 August 2007, 15:34

Unencrypted SSL connections in BEA WebLogic

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

BEA’s WebLogic application server system contains vulnerabilities that might allow attackers to monitor sensitive data in transit. The vendor has released two advisories to describe the problem and to offer remedies via links to software updates.

According to BEA, under certain conditions (which are not explained in more detail) SSL clients that run outside the server environment might not find all supported encryption algorithms and thus might offer an incomplete list to the server when negotiating the SSL connection. If the server can not agree upon a suitable algorithm with the client, the subsequent client-server communication will not be encrypted. This would allow an attacker in a man-in-the-middle position to listen to such communications and gain access to confidential data.

BEA’s solution to this problem is to have the servers log the usage of unencrypted connections. Administrators could also prohibit unencrypted communications in the configuration settings. Upgrades with these functions are provided for the affected versions WebLogic Server 10.0, 9.2, 9.1, 9.0, 8.1 and 7.0 and for WebLogic Express 8.1 and 7.0. Administrators should install these updates as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit