Unencrypted SSL connections in BEA WebLogic
BEA’s WebLogic application server system contains vulnerabilities that might allow attackers to monitor sensitive data in transit. The vendor has released two advisories to describe the problem and to offer remedies via links to software updates.
According to BEA, under certain conditions (which are not explained in more detail) SSL clients that run outside the server environment might not find all supported encryption algorithms and thus might offer an incomplete list to the server when negotiating the SSL connection. If the server can not agree upon a suitable algorithm with the client, the subsequent client-server communication will not be encrypted. This would allow an attacker in a man-in-the-middle position to listen to such communications and gain access to confidential data.
BEA’s solution to this problem is to have the servers log the usage of unencrypted connections. Administrators could also prohibit unencrypted communications in the configuration settings. Upgrades with these functions are provided for the affected versions WebLogic Server 10.0, 9.2, 9.1, 9.0, 8.1 and 7.0 and for WebLogic Express 8.1 and 7.0. Administrators should install these updates as soon as possible.
- SSL clients may not find all possible cipher suites resulting in use of the default null cipher (no encryption), security advisory by BEA
- Server may select a cipher suite that uses a null cipher for SSL communication with SSL clients, security advisory by BEA