[virusinfo] Oxygen3 24h-365d [New updates for BEA WebLogic - 04/26/04]

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Tue, 27 Apr 2004 13:30:55 -0700

From; Panda Oxygen3 24h-365d:

"We learn from history that we do not learn from history."
   Georg Wilhelm Friedrich Hegel (1770-1831); German philosopher. 

              - New updates for BEA WebLogic -
  Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, April 26 2004 - BEA has released(*) four new updates for WebLogic
Server and WebLogic Express, to correct vulnerabilities that could be
exploited maliciously.

The first of the updates actually replaces a previous one released by BEA to
resolve problems in the assigning of privileges on creating new groups. The
second concerns the specification of URL patterns ending in * instead of /*.
Although this syntax is prohibited by Servlet 2.3, a coding error means that
they are treated as wildcards. Web applications configured in this way will
not be protected if they migrate from version 6.x to version 7.x or later of
WebLogic Server.

The third vulnerability is caused when an application calls the remove()
method of an EJB with a remote view. Finally the fourth vulnerability occurs
when using the config.sh or config.cmd configuration tools, which produce a
log file that contains the administrative username and password in
clear-text. 

(*)Full information about the security problems described above, the
versions affected and the corresponding patches released by BEA is available
from:

- BEA04-52.01 Bulletin:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_52.01.j
sp

- BEA04-56.00 Bulletin:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.j
sp

- BEA04-57.00 Bulletin:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.j
sp

- BEA04-58.00 Bulletin:
http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_58.00.j
sp

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] Oxygen3 24h-365d [New updates for BEA WebLogic - 04/26/04]

1. Home
2. virusinfo
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---