From; Panda Oxygen3 24h-365d: "We learn from history that we do not learn from history." Georg Wilhelm Friedrich Hegel (1770-1831); German philosopher. - New updates for BEA WebLogic - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, April 26 2004 - BEA has released(*) four new updates for WebLogic Server and WebLogic Express, to correct vulnerabilities that could be exploited maliciously. The first of the updates actually replaces a previous one released by BEA to resolve problems in the assigning of privileges on creating new groups. The second concerns the specification of URL patterns ending in * instead of /*. Although this syntax is prohibited by Servlet 2.3, a coding error means that they are treated as wildcards. Web applications configured in this way will not be protected if they migrate from version 6.x to version 7.x or later of WebLogic Server. The third vulnerability is caused when an application calls the remove() method of an EJB with a remote view. Finally the fourth vulnerability occurs when using the config.sh or config.cmd configuration tools, which produce a log file that contains the administrative username and password in clear-text. (*)Full information about the security problems described above, the versions affected and the corresponding patches released by BEA is available from: - BEA04-52.01 Bulletin: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_52.01.j sp - BEA04-56.00 Bulletin: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.j sp - BEA04-57.00 Bulletin: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.j sp - BEA04-58.00 Bulletin: http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_58.00.j sp NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member