Boletines de Vulnerabilidades |
Múltiples vulnerabilidades en BEA WebLogic, AquaLogic, Web Service WSDL y Jrockit |
|
Clasificación de la vulnerabilidad |
|
Propiedad | Valor |
Nivel de Confianza | Oficial |
Impacto | Confidencialidad |
Dificultad | Experto |
Requerimientos del atacante | Acceso remoto sin cuenta a un servicio estandar |
Información sobre el sistema |
|
Propiedad | Valor |
Fabricante afectado | Comercial Software |
Software afectado |
BEA WebLogic Portal Page 10.0, 9.2 <= MP2, 8.1 <= SP6 y 7.0 SP4 - SP7 BEA WebLogic Workshop 10.0, 9.2 <= MP1, 9.1, 9.0 y 8.1 <= SP6, BEA AquaLogic Interaction 6.1 <= MP1 BEA AquaLogic Collaboration 4.2 y 4.1 BEA Plumtree Foundation 6.0 <= SP1 BEA Web Service WSDL 10.0 <= MP1, 9.2 <= MP2, 9.1, 9.0, 8.1 <= SP6, 7.0 <= SP7 y 6.1 <= SP7 BEA JRockit R24 R24.3-1.4.2_04 - R24.5-1.4.2_08 BEA JRockit R25 R25.0-1.5.0 - R25.2-1.5.0_03 BEA WebLogic Server con plugins anteriores al Noviembre de 2007 BEA WebLogic Express con plugins anteriores al Noviembre de 2007 |
Descripción |
|
Se han descubierto múltiples vulnerabilidades en BEA WebLogic Portal Page 10.0, 9.2 MP2 y anteriores, 8.1 SP6 y anteriores, y 7.0 SP4 hasta SP7, BEA WebLogic Workshop 10.0, 9.2 MP1 y anteriores, 9.1, 9.0, y 8.1 SP6 y anteriores, BEA AquaLogic Interaction 6.1 MP1 y anteriores, BEA AquaLogic Collaboration 4.2 y 4.1, BEA Plumtree Foundation 6.0 SP1 y anteriores, BEA Web Service WSDL 10.0 MP1 y anteriores, 9.2 MP2 y anteriores, 9.1, 9.0, 8.1 SP6 y anteriores, 7.0 SP7 y anteriores, y 6.1 SP7 y anteriores, BEA JRockit R24 de la versión R24.3-1.4.2_04 hasta la R24.5-1.4.2_08, BEA JRockit R25 de la versión R25.0-1.5.0 hasta la R25.2-1.5.0_03, BEA WebLogic Server con plugins anteriores al Noviembre de 2007 y BEA WebLogic Express con plugins anteriores al Noviembre de 2007. Un atacante local o remoto podría obtener información sensible, saltarse ciertas restricciones de seguridad o causar denegaciones de servicio mediante la inyección de scripts, ataques de tipo Cross-Site Scripting o fuerza bruta. |
|
Solución |
|
Actualización de software BEA AquaLogic Collaboration 4.2 MP1 / patch 4.2.1.317490 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/Collab_4.2.1.317490.zip AquaLogic Interaction 6.1 MP1 / patch 6.1.1.316115 patch ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/6.1.1.316115-ALUI_XSS_Vulnerability.zip Plumtree Collaboration 4.1 SP2 / patch 4.1.2.317491 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/Collab_4.1.2.317491.zip Plumtree Foundation 6.0 SP1 / patch 6.0.1.316111 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/6.0.1.316111-ALUI_XSS_Vulnerability.zip WebLogic Server and WebLogic Express 10.0 Maintenance Pack 1 / patch CR345092, CR328282 WebLogic Server and WebLogic Express 9.2 Maintenance Pack 2 / patch CR345092, CR328282 WebLogic Server and WebLogic Express 8.1 Service Pack 6 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR345092_810sp6.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR328282_81sp6.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR318807_810sp6.jar WebLogic Server and WebLogic Express 7.0 Service Pack 7 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR218580_700sp7.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR358544_700sp7.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR328282_70sp7.jar WebLogic Server and WebLogic Express 6.1 Service Pack 7 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR218580_610sp7.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR358542_610sp7.jar WebLogic Server 9.1 / patch CR218580, CR345092, CR328282, CR325276, CR321470, CR321429, CR318807 y CR277048 WebLogic Server 9.0 GA Combo / patch CR239280 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR218580_900.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR358541_900.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR325276_CR277048_900rp.zip ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR321470_900.jar ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR321429_900.jar WebLogic Portal 10.0 Maintenance Pack 1 WebLogic Portal 9.2 Maintenance Pack 2 / patch CR318480 WebLogic Portal 8.1 Service Pack 4 WebLogic Portal 7.0 SP4-SP7 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR282309_70.zip WebLogic Portal 8.1 SP3-SP6 Siga las recomendaciones en la guia de seguridad WLP http://edocs.bea.com/wlp/docs81/security/security.html#1013232 WebLogic Portal 8.1 SP6 Siga las recomendaciones para el pathc CR242587 http://edocs.bea.com/wlp/docs81/relnotes/relnotes.html#1117175 WebLogic Workshop 10.0 Maintenance Pack 1 WebLogic Workshop 9.2 Maintenance Pack 2 WebLogic Workshop 8.1 Service Pack 6 ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/CR314887_81SP6.zip WebLogic Server Plugins ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/security/WLSWebServerPlugins1.0.1014998.zip JRockit http://commerce.bea.com/products/weblogicjrockit/jrockit_prod_fam.jsp |
|
Identificadores estándar |
|
Propiedad | Valor |
CVE | |
BID | 27893 |
Recursos adicionales |
|
BEA http://dev2dev.bea.com/pub/advisory/256 http://dev2dev.bea.com/pub/advisory/257 http://dev2dev.bea.com/pub/advisory/258 http://dev2dev.bea.com/pub/advisory/259 http://dev2dev.bea.com/pub/advisory/260 http://dev2dev.bea.com/pub/advisory/261 http://dev2dev.bea.com/pub/advisory/262 http://dev2dev.bea.com/pub/advisory/263 http://dev2dev.bea.com/pub/advisory/264 http://dev2dev.bea.com/pub/advisory/265 http://dev2dev.bea.com/pub/advisory/266 http://dev2dev.bea.com/pub/advisory/267 http://dev2dev.bea.com/pub/advisory/268 http://dev2dev.bea.com/pub/advisory/269 http://dev2dev.bea.com/pub/advisory/270 http://dev2dev.bea.com/pub/advisory/271 http://dev2dev.bea.com/pub/advisory/272 http://dev2dev.bea.com/pub/advisory/273 http://dev2dev.bea.com/pub/advisory/274 http://dev2dev.bea.com/pub/advisory/275 http://dev2dev.bea.com/pub/advisory/276 |
Histórico de versiones |
||
Versión | Comentario | Fecha |
1.0 | Aviso emitido | 2008-02-21 |