Bea Systems WebLogic ResourceAllocationException系统密码泄露漏洞

发布时间：2003-01-11
更新时间：2003-01-11
严重程度：高
威胁程度：口令恢复
错误类型：意外情况处置错误
利用方式：服务器模式

BUGTRAQ ID：6856

受影响系统

BEA Systems Weblogic Server 6.1 SP 3
   - HP HP-UX 11i
   - HP HP-UX 11.0
   - IBM AIX 4.3.3
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Datacenter Server
   - Microsoft Windows 2000 Datacenter Server SP1
   - Microsoft Windows 2000 Datacenter Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows NT Enterprise Server 4.0 SP4
   - Microsoft Windows NT Enterprise Server 4.0 SP5
   - Microsoft Windows NT Enterprise Server 4.0 SP6
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0 SP4
   - Microsoft Windows NT Server 4.0 SP5
   - Microsoft Windows NT Server 4.0 SP6
   - Microsoft Windows NT Server 4.0 SP6a
   - RedHat Linux 6.2 i386
   - RedHat Linux 7.1 i386
   - Sun Solaris 2.6 sparc
   - Sun Solaris 2.7 sparc
   - Sun Solaris 8.0
BEA Systems Weblogic Server 6.1 SP 2
   - HP HP-UX 11i
   - HP HP-UX 11.0
   - IBM AIX 4.3.3
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
   - RedHat Linux 6.2 i386
   - RedHat Linux 7.1 i386
   - Sun Solaris 2.6 sparc
   - Sun Solaris 2.7 sparc
   - Sun Solaris 8.0
BEA Systems Weblogic Server 6.1 SP 1
   - HP HP-UX 11i
   - HP HP-UX 11.0
   - IBM AIX 4.3.3
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
   - RedHat Linux 6.2 i386
   - RedHat Linux 7.1 i386
   - Sun Solaris 2.6 sparc
   - Sun Solaris 2.7 sparc
   - Sun Solaris 8.0
BEA Systems Weblogic Server 6.1
   - HP HP-UX 11i
   - HP HP-UX 11.0
   - IBM AIX 4.3.3
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows NT 4.0 SP4
   - Microsoft Windows NT 4.0 SP5
   - Microsoft Windows NT 4.0 SP6
   - Microsoft Windows NT 4.0 SP6a
   - RedHat Linux 6.2 i386
   - RedHat Linux 7.1 i386
   - Sun Solaris 2.6 sparc
   - Sun Solaris 2.7 sparc
   - Sun Solaris 8.0
BEA Systems Weblogic Server 7.0 .0.1
BEA Systems Weblogic Server 7.0 SP 1
BEA Systems Weblogic Server 7.0
   - HP HP-UX 11i
   - HP HP-UX 11.0
   - IBM AIX 4.3.3
   - Microsoft Windows 2000 Advanced Server
   - Microsoft Windows 2000 Advanced Server SP1
   - Microsoft Windows 2000 Advanced Server SP2
   - Microsoft Windows 2000 Datacenter Server
   - Microsoft Windows 2000 Datacenter Server SP1
   - Microsoft Windows 2000 Datacenter Server SP2
   - Microsoft Windows 2000 Professional
   - Microsoft Windows 2000 Professional SP1
   - Microsoft Windows 2000 Professional SP2
   - Microsoft Windows 2000 Server
   - Microsoft Windows 2000 Server SP1
   - Microsoft Windows 2000 Server SP2
   - Microsoft Windows NT Enterprise Server 4.0 SP4
   - Microsoft Windows NT Enterprise Server 4.0 SP5
   - Microsoft Windows NT Enterprise Server 4.0 SP6
   - Microsoft Windows NT Enterprise Server 4.0 SP6a
   - Microsoft Windows NT Server 4.0 SP4
   - Microsoft Windows NT Server 4.0 SP5
   - Microsoft Windows NT Server 4.0 SP6
   - Microsoft Windows NT Server 4.0 SP6a
   - Microsoft Windows NT Workstation 4.0 SP4
   - Microsoft Windows NT Workstation 4.0 SP5
   - Microsoft Windows NT Workstation 4.0 SP6
   - Microsoft Windows NT Workstation 4.0 SP6a
   - RedHat Linux 6.2 i386
   - RedHat Linux 7.1 i386
   - Sun Solaris 2.6 sparc
   - Sun Solaris 2.7 sparc
   - Sun Solaris 8.0

详细描述
BEA顾问发现在部分Weblogic服务器存在一个安全漏洞。

漏洞相关于系统密码显示。如果某个应用程序使用桥接方式路由消息到JMS目标域上，不管域是否可使用，或者配置问题不能获得JMS目标域初始化信息，Weblogic服务器都会产生包含用户密码的ResourceAllocationException异常。

测试代码
尚无

解决方案
WebLogic Server 6.1 released, Service Pack 1, Service Pack 2,和Service Pack 3升级到WebLogic Server 6.1 Service Pack 4。

WebLogic Server 7.0 released, Service Pack 1, 和WebLogic Server 7.0.0.1采用如下补丁：

ftp://ftpna.beasys.com/pub/releases/security/CR093060_70sp1.jar

相关信息
参考：http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA03-24.htm

最近严重漏洞

Bea Systems WebLogic ResourceAllocationException系统密码泄露漏洞