漏洞信息详情
BEA WebLogic Server/Express远程拒绝服务和信息泄露漏洞
- CNNVD编号:CNNVD-200312-182
- 危害等级: 中危
![图片[1]-BEA WebLogic Server/Express远程拒绝服务和信息泄露漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-05-26/30f462579bec41fc25e0b1d57503e6d6.png)
- CVE编号:
CVE-2003-1222
- 漏洞类型:
未知
- 发布时间:
2003-11-13
- 威胁类型:
远程
- 更新时间:
2005-10-20
- 厂 商:
bea - 漏洞来源:
BEA SECURITY ADVIS… -
漏洞简介
BEA Systems WebLogic包含多种应用系统集成方案,包括Server/Express/Integration等。
BEA Systems WebLogic Server和Express包含多个问题,远程攻击者可以利用这个漏洞进行拒绝服务攻击者或者获得敏感信息。
具体问题如下:
1、通过WebLogic Server插件发送不正确格式URL给WEbLogic Server或Express,不正确的URL会导致代理插件崩溃,使得WEB站点不能访问。如果不使用WebLogic服务代理插件的站点不受此漏洞影响。
2、当通过SSL Over T3访问Weblogic服务程序但在URL中指定的是非安全服务端口就会触发此漏洞,如当URL\”t3s://myhost:7001\”使用\”t3s://myhost:7002\”代替时,虽然使用了\”t3s\”连接但还会使用非SSL连接。当尝试在非安全端口上使用SSL会导致应用程序异常而产生拒绝服务。
3、当使用外部JMS提供器(foreign JMS provider),JMS提供器weblogic.management.configuration.ForeignJMSConnectionFactoryMBean密码字段在控制台上会以明文方式显示,并存储在config.xml文件中时也以明文方式。这可导致密码信息泄露。
4、当部分错误数据发送给节点管理器监听的端口,可导致节点管理器崩溃和不能恢复。在正常操作时不会发生,只有当不正规数据发送给端口时才会产生拒绝服务,如使用NMAP进行扫描。
5、默认情况下,站点的MBeanHome可以被匿名用户从JNDI中获得,从MBeanHome中,许多MBeans配置可以被获得和检查。虽然这不属于已知安全漏洞的范畴,BEA Systems认为考虑到最佳安全策略,需要拒绝任何攻击者访问过多的配置数据。
漏洞公告
临时解决方法:
如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* 限制用户对WEB管理接口的访问。
厂商补丁:
BEA Systems
———–
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
BEA Systems WebLogic Express 6.1 SP 5:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Patch CR125829_610sp5.jar
ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar
BEA Systems Weblogic Server 6.1 SP 5:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Patch CR125829_610sp5.jar
ftp://ftpna.beasys.com/pub/releases/security/CR125829_610sp5.jar
BEA Systems WebLogic Express 6.1 SP 4:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 4:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 6.1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 6.1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 7.0 SP 3:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 7.0 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0 SP 2:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems WebLogic Express 7.0 SP 1:
BEA Systems Patch CR121341.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341.zip
BEA Systems Patch CR121341_win.zip
ftp://ftpna.beasys.com/pub/releases/security/CR121341_win.zip
BEA Systems Weblogic Server 7.0:
BEA Systems Patch CR121341.zip
参考网址
来源: BID
名称: 9034
链接:http://www.securityfocus.com/bid/9034
来源: BEA
名称: BEA03-41.00
链接:http://dev2dev.bea.com/pub/advisory/63
来源:NSFOCUS
名称:5661
链接:http://www.nsfocus.net/vulndb/5661
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
