[NEWS] BEA WebLogic Server Infinite Invalid Authentication Attempts
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 25 Feb 2008 19:36:46 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
BEA WebLogic Server Infinite Invalid Authentication Attempts
------------------------------------------------------------------------
SUMMARY
BEA WebLogic Server is "the world leading application server software".
It's possible to launch a credentials brute force attack against known
users through an BEA WebLogic Server's internal servlet that permits the
bypass of the user locking mechanism.
DETAILS
Vulnerable Systems:
* BEA WebLogic Server version 7.0sp6
* BEA WebLogic Server version 8.1sp4
* BEA WebLogic Server version 9.0sp2
Immune Systems:
* BEA WebLogic Server version 6.x and prior
To avoid credential brute force attacks, Weblogic server have a locking
mechanism that lock the corresponding account after some invalid login
attempts.
The default lock shots if 5 invalid login attempts were made. The lock
remains 30 minutes.
S21SEC has found that exists an internal servlet that allow the guess of
valid credentials even if the attacked account is locked.
This allows infinite invalid authentication attempts against an account.
When the correct credentials are guessed, it's only needed to wait for the
account to unlock and then logon into the server.
The affected servlet is:
/wl_management_internal1/LogfileSearch (Version 7 & 8)
/bea_wls_diagnostics/accessor (Version 9)
Workaround:
BEA has released an advisory about this vulnerability. Updates and more
information are available at Bea website:
<http://dev2dev.bea.com/pub/advisory/271>
http://dev2dev.bea.com/pub/advisory/271
ADDITIONAL INFORMATION
The information has been provided by <mailto:rpinuaga@xxxxxxxxxx> Ramon
Pinuaga Cascales.
The original article can be found at:
<http://www.s21sec.com/avisos/s21sec-040-en.txt>
http://www.s21sec.com/avisos/s21sec-040-en.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Path Traversal Vulnerability in VMware's Shared Folders Implementation
- Next by Date: [REVS] Cold Boot Attacks on Disk Encryption
- Previous by thread: [NEWS] Path Traversal Vulnerability in VMware's Shared Folders Implementation
- Next by thread: [REVS] Cold Boot Attacks on Disk Encryption
- Index(es):
Relevant Pages
|
|
