WebLogic Vulnerabilities

Updated (3.1.3)
CVE 2000-0682
CVE 2000-0683
CVE 2000-0684
CVE 2000-0685

Impact

Vulnerabilities in the WebLogic web server could allow an attacker to execute arbitrary code, crash the server, or read the source code of any file within the web document root.

Background

BEA WebLogic servers are web servers designed for e-commerce applications.

The Problems


dot-dot buffer overflow

The WebLogic server uses a different section of code to process requests beginning with ".." than it uses for normal requests. A buffer overflow in this section of the code could be used by a remote attacker to create a race condition which could lead to a server crash or the execution of arbitrary code.

BEA WebLogic Server 5.1.0 prior to Service Pack 7 is affected by this vulnerability.


Source code exposure

CVE 2000-0682
CVE 2000-0683
This vulnerability could allow a remote attacker to view the source code of any file within the web document tree. Depending upon the configuration, it is possible to exploit this vulnerability using the File Servlet or the Server Side Include Servlet. If the example weblogic.properties file is used, these servlets can be accessed through the ConsoleHelp alias and the virtual name *.shtml, respectively. Source code from some scripts could include sensitive information such as passwords or directory paths which could be used in a subsequent attack against the server.

BEA WebLogic Enterprise 5.1.x and BEA WebLogic Server and Express 4.5.x and 5.1.x are vulnerable in certain configurations, including the configuration resulting from the example weblogic.properties file.


Execution of arbitrary JSP/jHTML commands

CVE 2000-0684
CVE 2000-0685
This vulnerability could allow a misconfigured or malicious application to write files to the web document root. Executable code could be inserted into JSP or jHTML pages and would be executed the next time the page was retrieved by a client. BEA WebLogic Enterprise 5.1.x, and all versions of WebLogic Server and Express are vulnerable.

Resolutions

The resolution for the dot-dot buffer overflow is to apply Service Pack 7 or higher for WebLogic 5.1.0.

For the source code exposure vulnerability, apply Service Pack 5 or higher for WebLogic 5.1.0.

Alternatively, apply the Show Code patch. Contact support@bea.com to obtain the patch. After the patch has been applied, make sure the following changes have taken place in weblogic.properties:

weblogic.httpd.register.file=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.file=defaultFilename=index.html
weblogic.httpd.defaultServlet=file

should be changed to:

weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
weblogic.httpd.initArgs.*.html=defaultFilename=index.html
weblogic.httpd.defaultServlet=*.html

The resolution for the JSP/jHTML file write vulnerability is to use proper access controls on the web document root, and to remove any unnecessary applications. See BEA Security Advisory 00-04.00 for specific fix information.

Where can I read more about this?

For more information on the dot-dot buffer overflow, see Defcom Labs Advisory 2000-04.

For more information on the source code exposure vulnerability, see BEA Security Advisory 00-03.00.

For more information on the file write vulnerability, see BEA Security Advisory 00-04.00.