Security Advisories and Notifications


Security Advisory: (BEA02-03.03)

From: Oracle Corporation

Minor Subject: Patch available for Show Code Vulnerability

Product(s) Affected: BEA WebLogic Server and Express

This security advisory (BEA02-03.03) contains updated information in section II. Specifically, we have supplied new patches for WebLogic Server 6.1 SP2, WebLogic Server 6.0 SP2 RP3, and WebLogic Server 5.1 SP11. Please disregard SECURITY ADVISORY BEA00-03.00, BEA01-03.01 and BEA01-03.02, as this advisory BEA02-03.03 supersedes them.

We have identified multiple problems that could potentially cause a security vulnerability in certain versions of BEA WebLogic Server and Express on all platforms. Patches are available to correct these problems (see section II below). BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following action:

      I. Read the following advisory.

      II. Apply the suggested action.

      III. If you know of any additional users interested in future security advisories, please forward them the registration instructions below.


I. ADVISORY

Recently, a potential security vulnerability that could result in the ability for unauthorized clients to view source code for JSP and jHTML pages was reported in BEA WebLogic Server and Express. This exposure is limited to viewing source code only, and does not provide any opportunity for unauthorized clients to modify or otherwise corrupt JSP or jHTML code.

The following BEA WebLogic Server and Express releases are affected by this vulnerability:

  • Version: The J-Engine in BEA WebLogic Enterprise 5.1.x
  • Version: BEA WebLogic Server and Express 4.5x, 5.1.x, and 6.x

CAUSE

Vulnerabilities surrounding the unintentional displaying of JSP and jHTML source rely on the common strategy of trying to get JSP and jHTML files to be processed by the File Servlet. In WebLogic Server, there are two ways this can be accomplished: (1) by utilizing incorrect mappings for the File Servlet, (2) by exploiting a bug in the parsing of URL's .

Incorrect Mappings for the File Servlet

By default, WebLogic Server and Express configure the File Servlet to serve any file type for which there is not a specific mapping specified. Depending upon the configuration, it is possible to cause the File Servlet to be used to display the contents of any file within the Web document root directory of the Web server. It may also be possible to cause a similar type of behavior using of the ServerSideIncludeServlet.

It is possible to view the source of a JSP/jHTML file in a browser if you use the example registration for the file servlet as provided in the example weblogic.properties file that is shipped with your BEA WebLogic Server distribution.

The example weblogic.properties file that is shipped with the BEA WebLogic Server and Express distribution defines the use of the File and ServerSideInclude servlets as follows:
  1. a Servlet alias called "ConsoleHelp" is defined to invoke the FileServlet
  2. a Servlet alias called "file" is defined to invoke the FileServlet
  3. the ServerSideIncludeServlet is defined under virtual name "*.shtml"
Currently, a single directory (commonly known as document root) is used for serving static content (HTML files, images, etc.) and dynamic content (JSP, jHTML, etc.). Hence, a URL such as http://www.bea.com/ConsoleHelp/my.jsp will result in the use of the FileServlet to handle the my.jsp file. Likewise a URL such as http://www.bea.com/*.shtml/my.jsp will handle processing of the my.jsp file using the ServerSideIncludeServlet.

Incorrect URL Parsing

Some unusual URL's can leverage a bug in the URL parsing and trigger the display of the source for a JSP or jHTML. One strategy for constructing such a URL is the use of percent signs ("%") in the URL as described by the HTTP 1.1 specification (see "Hypertext Transfer Protocol -- HTTP/1.1" at http://www.ietf.org/rfc/rfc2616.txt). By using "%" escapes in the suffix of the JSP filename you can cause the File Servlet to display the source. For example, the URL's http://www.bea.com/my.jsp%00 ("%00" is the Unicode escape for null) and http://www.bea.com/my%2ejsp ("%2e" is the Unicode escape for ".") will display the source of my.jsp rather than execute it.

II. SUGGESTED ACTION

Oracle strongly recommends the following course of actions:

  1. Apply the appropriate Service Pack below:
    • Version: BEA WebLogic Server and Express version 6.1 standalone or as part of BEA WebLogic Enterprise 6.1 on all OS platforms
      • Action: Apply Service Pack 2 and then download and apply the patch #7822817 from OracleMetaLink as per the instructions below:
        • Select the Patches and Updates tab after logging in to OracleMetaLink.
        • Click Simple Search.
        • In the Search By field, select Patch Number from the list.
        • Enter the patch number. The patch number may be different for different product releases and platforms.
        • Select the platform (or choose generic as applicable)
        • Click Go.
        • Click Download to download the patch.
      • When Service Pack 3 becomes available, you can use that jar instead of Service Pack 2 and this patch.
    • Version: BEA WebLogic Server and Express version 6.0 standalone or as part of BEA WebLogic Enterprise 6.0 on all OS platforms
      • Action: Apply Service Pack 2 with Rolling Patch 3 and download and apply the patch #7822795 from OracleMetaLink as per the instructions below:
        • Select the Patches and Updates tab after logging in to OracleMetaLink.
        • Click Simple Search.
        • In the Search By field, select Patch Number from the list.
        • Enter the patch number. The patch number may be different for different product releases and platforms.
        • Select the platform (or choose generic as applicable)
        • Click Go.
        • Click Download to download the patch.
    • Version: BEA WebLogic Server and Express version 5.1 standalone or as part of BEA WebLogic Enterprise 5.1.x on all OS platforms.
      • Action: Apply Service Pack 11 and then download and apply the patch #7822782 from OracleMetaLink as per the instructions below:
        • Select the Patches and Updates tab after logging in to OracleMetaLink.
        • Click Simple Search.
        • In the Search By field, select Patch Number from the list.
        • Enter the patch number. The patch number may be different for different product releases and platforms.
        • Select the platform (or choose generic as applicable)
        • Click Go.
        • Click Download to download the patch.
      • When Service Pack 12 becomes available, you can use that jar instead of Service Pack 11 and this patch.
    • Version: BEA WebLogic Server and Express 4.5.2 on all OS platforms
      • Action: Apply Service Pack 2 and then download and apply the patch #7822539 from OracleMetaLink as per the instructions below:
        • Select the Patches and Updates tab after logging in to OracleMetaLink.
        • Click Simple Search.
        • In the Search By field, select Patch Number from the list.
        • Enter the patch number. The patch number may be different for different product releases and platforms.
        • Select the platform (or choose generic as applicable)
        • Click Go.
        • Click Download to download the patch.
    • Version: BEA WebLogic Server and Express 4.5.1 on all OS platforms
      • Action: Apply Service Pack 15

  2. Two further steps can be taken as additional precautions.
    • First, precompiling the JSP files and only installing their compiled forms both increases performance and totally removes the possibility of the JSP file being displayed as it is not present.
    • Second, changing the default Servlet to be a Servlet other than the FileServlet will prevent the accidental downloading of files.
      • Changing the default Servlet on Weblogic 5.x and earlier releases
        Once the Service Pack has been applied, review the weblogic.properties file and ensure that the following changes have been made:

        weblogic.httpd.register.file=weblogic.servlet.FileServlet
        weblogic.httpd.initArgs.file=defaultFilename=index.html
        weblogic.httpd.defaultServlet=file


        should be changed to:

        weblogic.httpd.register.*.html=weblogic.servlet.FileServlet
        weblogic.httpd.initArgs.*.html=defaultFilename=index.html
        weblogic.httpd.defaultServlet=*.html


      • Changing the default servlet on Weblogic 6.x
      • In each web application, add the following lines to the web.xml file:

        YourDefaultServlet

        You should replace the Servlet "YourDefaultServlet" with the name of the Servlet you wish to be the default Servlet. Then, for each file type that you want to download directly to the web browser (e.g.: HTML files and GIF files) you must add a new servlet-mapping tag. For example, to map HTML files the following lines would be needed:

        FileServlet*.html


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation