|
|
| |
| BEA WebLogic Server is "the world leading application server software". It's possible to launch a credentials brute force attack against known users through an BEA WebLogic Server's internal servlet that permits the bypass of the user locking mechanism. |
| |
Credit:
The information has been provided by Ramon Pinuaga Cascales.
The original article can be found at: http://www.s21sec.com/avisos/s21sec-040-en.txt
|
| |
Vulnerable Systems:
* BEA WebLogic Server version 7.0sp6
* BEA WebLogic Server version 8.1sp4
* BEA WebLogic Server version 9.0sp2
Immune Systems:
* BEA WebLogic Server version 6.x and prior
To avoid credential brute force attacks, Weblogic server have a locking mechanism that lock the corresponding account after some invalid login attempts.
The default lock shots if 5 invalid login attempts were made. The lock remains 30 minutes.
S21SEC has found that exists an internal servlet that allow the guess of valid credentials even if the attacked account is locked.
This allows infinite invalid authentication attempts against an account. When the correct credentials are guessed, it's only needed to wait for the account to unlock and then logon into the server.
The affected servlet is:
/wl_management_internal1/LogfileSearch (Version 7 & 8)
/bea_wls_diagnostics/accessor (Version 9)
Workaround:
BEA has released an advisory about this vulnerability. Updates and more information are available at Bea website:
http://dev2dev.bea.com/pub/advisory/271
|
|
|
|
|
|
|
|
