=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2006/VULN037
_____________________________________________________________________

DATE                      : 26/01/2006

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running BEA WebLogic Server,
                                  WebLogic Express and WebLogic Portal.

======================================================================

BEA Systems have released 14 security advisories for BEA WebLogic Server,
WebLogic Express and WebLogic Portal. Patches have now been released to
fix these vulnerabilities. Details are as follows:


BEA06-119.00
Console applies incorrect JNDI policies.
Affects: WLS 9.0
Advisory: http://dev2dev.bea.com/pub/advisory/176


BEA06-118.00
Server's SSL identity not properly protected from applications.
Affects: WLS 8.1 SP5
Advisory: http://dev2dev.bea.com/pub/advisory/175


BEA06-117.00
Using a connection filter can cause the server to slow down
Affects: WLS 9.0, WLS 8.1 (-SP5), WLS 7.0 (-SP6)
Advisory: http://dev2dev.bea.com/pub/advisory/174


BEA06-116.00
Non-active security provider appears active.
Affects: WLS 9.0
Advisory: http://dev2dev.bea.com/pub/advisory/173


BEA06-115.00
A patch is available to enforce access to only specific resources.
Affects: WLP 8.1 SP3, SP4, SP5
Advisory: http://dev2dev.bea.com/pub/advisory/172


BEA06-114.00
Application code installed on a server may be able to decrypt passwords
Affects: WLS 9.0, WLS 8.1 (-SP5)
Advisory: http://dev2dev.bea.com/pub/advisory/171


BEA06-113.00
Changed passwords may show up in audit log
Affects: WLS 8.1 (-SP4)
Advisory: http://dev2dev.bea.com/pub/advisory/170


BEA06-112.00
An application's deployment descriptor source is visible.
Affects: WLP 8.1 (-SP4)
Advisory: http://dev2dev.bea.com/pub/advisory/169


BEA06-111.00
The server log may be remotely viewable.
Affects: WLS 8.1 (-SP4), WLS 7.0 (-SP6), WLS 6.1 (-SP7)
Advisory: http://dev2dev.bea.com/pub/advisory/168


BEA06-110.00
Cleartext database password in the config.xml file.
Affects: WLP 8.1 (-SP3)
Advisory: http://dev2dev.bea.com/pub/advisory/167


BEA06-109.00
Multiple MBean vulnerabilities.
Affects: WLS 8.1 (-SP4), WLS 7.0 (-SP6), WLS 6.1 (-SP7)
Advisory: http://dev2dev.bea.com/pub/advisory/166


BEA06-108.00
Documentation is available describing securing multiple-domains managed from one instance of the WebLogic Server 
Administration Console.
Affects: WLS 7.0, WLS 6.1
Advisory: http://dev2dev.bea.com/pub/advisory/165


BEA06-106.01
Requests for a servlet doing relative forwarding may result in a Denial-of-Service (DOS) attack.
Affects: WLS 8.1 (-SP4), WLS 7.0 (-SP6)
Advisory: http://dev2dev.bea.com/pub/advisory/164


BEA06-81.01
Anonymous binds to the embedded LDAP server are allowed.
Affects: WLS 9.0, WLS 8.1 (-SP5), WLS 7.0 (-SP6)
Advisory: http://dev2dev.bea.com/pub/advisory/163

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================