Security Advisories and Notifications


Security Advisory: (BEA02-23.01)

From: Oracle Corporation

Minor Subject: Patch available to prevent DOS attack through XML parsing

Product(s) Affected: BEA WebLogic Platform, WebLogic Integration, WebLogic Server and Express

Threat level: Low

Severity: low

This security advisory (BEA02-23.01) contains refreshed patches: the patches previously issued in BEA02-23.00:

CR091862-610SP3.jar

CR091862-700SP1.jar

CR091862-610SP4.jar

CR091862-600SP2RP3.jar

have been superceded by

CR091862-610SP3-1.jar

CR091862-700SP1-1.jar

CR091862-610SP4-1.jar

CR091862-600SP2RP3-1.jar

Please disregard the patches issued in Advisory BEA02-23.00, as these patches supercede them.

Recently Sanctum, Inc., identified a problem that could potentially cause a security vulnerability in certain versions of BEA WebLogic Integration, WebLogic Server and Express. Patches are available to correct this problem (see section II below). BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following action:

      I. Read the following advisory.

      II. Apply the suggested action.

      III. If you know of any additional users interested in future security advisories, please forward them the registration instructions below.


I. ADVISORY

This vulnerability can occur when the Xerces parser is used to parse XML documents containing Document Type Definitions (DTDs). Certain configurations of entity references in the DTD have been identified as having the potential to cause a Denial of Service.

WebLogic Integration allows users to specify DTDs. When an XML document is processed, this vulnerability can occur.

Web services hosted on WebLogic Server are not vulnerable to this problem. The parser used for WebLogic web services does not parse DTDs.

A version of the Xerces parser is bundled with WebLogic Server 6.1 and WebLogic Server 7.0. User applications that make use of these parsers may be vulnerable to this kind of attack.

The following versions of WebLogic Integration are affected by this vulnerability
  • Version: BEA WebLogic Integration 2.1 and 7.0.
The following BEA WebLogic Server and Express releases are affected by this vulnerability
  • Version: BEA WebLogic Server and Express 6.0, 6.1, 7.0 and 7.0.0.1.

CAUSE

This vulnerability can occur when the Xerces parser reads a set of entities from a DTD. Certain configurations of entities can cause the parser to exhaust available processing power, resulting in a hung server.

The patches provided permits setting a limit to the extent of entity parsing in one DTD.


II. SUGGESTED ACTION

Oracle strongly recommends the following course of actions:

WebLogic Integration 2.1
  1. Upgrade to WebLogic Server 6.1 Service Pack 3 and download and apply the patch #7822964 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.
  2. Set the WebLogic system property (see note below).
  3. When WebLogic Integration 2.1 has been certified with WebLogic Server 6.1 Service Pack 5, you can use that version instead of Service Pack 3 and this patch.

WebLogic Integration 7.0
  1. Upgrade to WebLogic Integration 7.0 Service pack 1 and download and apply the patch #7822994 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.
  2. Set the WebLogic system property (see note below).
  3. When Service Pack 2 is available, you can use that version instead of Service Pack 1 and this patch.

WebLogic Server 7.0 or WebLogic Server 7.0.0.1
  1. Upgraded to WebLogic Server 7.0 Service Pack 1 and download and apply the patch #7822994 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.
  2. Set the WebLogic system property (see note below).
  3. When WebLogic Server 7.0 Service Pack 2 is available, you can use that version instead of WebLogic 7.0 Service Pack 1 and this patch.

For WebLogic Server 6.1
  1. Upgrade to WebLogic Server 6.1 SP4 and download and apply the patch #7822983 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.
  2. Set the WebLogic system property (see note below).
  3. When WebLogic Server 6.1 Service Pack 5 is available, you can use that version instead of WebLogic 6.1 SP4 and this patch.

For WebLogic Server 6.0
  1. Upgrade to WebLogic Server 6.0 Service Pack 2 Rolling Patch 3 and download and apply the patch #7822950 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.
  2. Set the WebLogic system property (see note below).


Note: With each of these patches, set the WebLogic system property

weblogic.apache.xerces.maxentityrefs

to the maximum number of entity references that may be resolved in an XML document. The same value is used to limit the maximum number of entity references that may be resolved in the DTD.

Customers who have replaced the shipped version of Xerces parser with another parser should check with their vendor to ensure that it is not vulnerable to this Denial Of Service attack.


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation