Security Advisories and Notifications


Security Advisory: (BEA03-36.01)

From: Oracle Corporation

Subject: SECURITY ADVISORY (BEA03-36.01)

Minor Subject: Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities.

Product(s) Affected: WebLogic Server and Express, WebLogic Integration, Liquid Data

Threat level: low
Requires careful orchestration and unintentional cooperation by a privileged user.

Severity: high
Can allow anonymous user to upgrade to administrative privileges.

This security advisory (BEA03-36.01) contains a link to the Javadoc for Utils.encodeXSS(). There are no new or updated remedies in this Advisory. Please disregard SECURITY ADVISORY BEA03-36.00, as this advisory BEA03-36.01 supersedes it.

Recently a customer identified a problem that could potentially cause a security vulnerability in certain versions of WebLogic Server and Express, WebLogic Integration, and Liquid Data. Patches are available to correct this problem (see section II below). BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following action:

     I. Read the following advisory.

     II. Apply the suggested action.

     III. If you know of any additional users interested in future security advisories, please forward them the registration instructions below.

I. Advisory

Background: XSS vulnerabilities are well documented in the industry (see the "References" section below). An XSS vulnerability requires three parties:

     1. A susceptible Web site.

     2. A valid user of the Web site.

     3. An attacker.

The attacker tricks the user (usually via misleading links on web pages or emails) to exploit the XSS vulnerability in the Web site. This allows the attacker to run arbitrary client-side (i.e.: browser) scripts that execute as the identity of the valid user. Typically this is used to steal session cookies thereby allowing the attacker to impersonate the valid user. XSS vulnerabilities can arise due to bugs in the Web server or in applications running on it.

Advisory: This advisory addresses two types of XSS vulnerabilities:
  1. 1. A vulnerability in the Servlet container that can be exploited when the browser is being sent a forward instruction. Static URLs such as "http://www.bea.com" are not exploitable when being forwarded to. The exploit only occurs when there are dynamic URLs such as
    "http://www.bea.com?username=" + request.getParameter("user")
    Any application that supports a dynamically calculated URL in a forward statement can potentially contain this vulnerability.

  2. A series of vulnerabilities in the WebLogic Server console application. These are only of risk to users who have special administrative privileges (i.e.: users in the "Admin," "Monitor," "Deployer," and "Operator" roles). A privileged user can be tricked into clicking on an URL that will unintentionally share his privileges with an attacker.

Coding Advice: Any Web application can introduce XSS vulnerabilities. It is beyond the ability of WebLogic Server and Express to protect against this. Careful coding when programming Web applications is required to avoid these vulnerabilities. To this end, WebLogic Server and Express are introducing a new utility class with this advisory: weblogic.servlet.security.Utils. The Utils.encodeXSS() method will properly encode all key HTML syntax characters. The Javadoc for this method is available at:

Patch #7825133 from OracleMetaLink as per the instructions below:
• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

Caution About Existing Samples: Our samples are intended to provide a simple tutorial regarding a few specific features. They are not comprehensive guides to best practices. Many of them omit the use of the Utils.encodeXSS() method in needed places and are hence vulnerable to XSS attacks.

The following versions WebLogic Server and Express, WebLogic Integration, Liquid Data are affected by this vulnerability
  • WebLogic Integration 7.0. all platforms
  • WebLogic Integration 2.1, all platforms
  • Liquid Data 1.1, all platforms
  • WebLogic Server and Express 7.0, all platforms
  • WebLogic Server and Express 6.1, all platforms
  • WebLogic Server and Express 5.1, all platforms

II. SUGGESTED ACTION

Oracle strongly recommends the following course of actions:
  • For WebLogic Integration 7.0

    Download and apply the patch #7823261 to WebLogic Server 7.0 SP2 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.

    Download and apply the WebLogic Integration patch #7825227 to WebLogic Integration 7.0 SP2 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.

    When Service Pack 4 is available for WebLogic Integration and WebLogic Server, you can use that Service Pack instead of Service Pack 2 and these patches.


  • For WebLogic Integration 2.1 running on WebLogic Server 6.1 Service Pack 3

    Download and apply the patch #7823208 to WebLogic Server 6.1 SP3 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.

    Download and apply the WebLogic Integration patch #7825236 to WebLogic Integration 2.1 SP2 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.


  • For WebLogic Integration 2.1 running on WebLogic Server 6.1 Service Pack 2

    Download and apply the patch #7823196 to WebLogic Server 6.1 SP2 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.

    Download and apply the WebLogic Integration patch #7825236 to WebLogic Integration 2.1 SP2 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.


  • For Liquid Data 1.1

    Download and apply the patch #7823261 to WebLogic Server 7.0 SP2 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.

    and upgrade to Liquid Data Rolling Patch 4.


  • For WebLogic Server 7.0

    Upgrade to Service Pack 3 and download and apply the patch #7823276 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.

    When Service Pack 4 is available, you can use that Service Pack instead of Service Pack 3 and this patch.


  • For WebLogic Server 6.1

    Upgrade to Service Pack 5 and download and apply the patch #7823220 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.

    When Service Pack 6 is available, you can use that Service Pack instead of Service Pack 5 and this patch.


  • For WebLogic Server 5.1

    Upgrade to Service Pack 13 and download and apply the patch #7824676 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation