Security Advisories and Notifications


 
Security Advisory: (BEA00-01.00)

From: Oracle Corporation

Minor Subject: Security Configuration Advisory - BEA WebLogic Server

Product(s) Affected: BEA WebLogic Server and Express

It has come to our attention that there is a common misconfiguration that has the potential to lead to a security vulnerability in certain versions of BEA WebLogic Server on the Microsoft Windows NT and Windows 2000 platform. No other platforms are affected. BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following actions.

      I. Read the following advisory.

      II. See the Frequently Asked Questions

      III. If you are interested in future security advisories, please follow the directions below to register and verify your contact information

I. ADVISORY

Last week, Foundstone, Inc., ( www.foundstone.com) a security consulting and training firm, reported the following issue on the Microsoft Windows NT and 2000 platform:

Check the following property in the weblogic.properties file:
weblogic.httpd.servlet.extensionCaseSensitive

In certain versions of BEA WebLogic Server, the default of this property is set to "false". For maximum security, as documented in our security lockdown documentation at:

http://www.weblogic.com/docs51/admindocs/properties.html

http://www.weblogic.com/docs51/admindocs/lockdown.html

set weblogic.httpd.servlet.extensionCaseSensitive to "true", or add the following line to your Weblogic.properties file:
weblogic.httpd.servlet.extensionCaseSensitive=true

Oracle strongly recommends the following course of actions:

Review the following matrix to determine the appropriate course of action for your version of BEA WebLogic Server.
  • Version: BEA WebLogic 5.1 for Windows NT and 2000
    • Status:  Set to true by default
    • Action: None
  • Version: BEA WebLogic 4.5.2 for Windows NT and 2000
    • Status:  Set to true by default
    • Action: None
  • Version:  BEA WebLogic 4.5.1 for Windows NT and 2000
    • Status:  Set to false by default
    • Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
  • Version:  BEA WebLogic 4.0.4 for Windows NT and 2000
    • Status:  Set to false by default
    • Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
  • Version: BEA WebLogic 3.1.8 for Windows NT and 2000
    • Status:  Set to false by default
    • Action: Download and apply the patch #8215497 from OracleMetaLink as per the instructions below:
      • Select the Patches and Updates tab after logging in to OracleMetaLink.
      • Click Simple Search.
      • In the Search By field, select Patch Number from the list.
      • Enter the patch number. The patch number may be different for different product releases and platforms.
      • Select the platform (or choose generic as applicable)
      • Click Go.
      • Click Download to download the patch.
BEA urges customers to apply every Service Pack as they are released. Service Packs include a roll up of all bug fixes for each version of the product, as well as each of the prior Service Packs.



II. FREQUENTLY ASKED QUESTIONS

Q: What is the nature of this security advisory?

In certain configurations of BEA WebLogic Server running on Windows NT and 2000, unauthorized clients may be able to view source code for JSP and jHTML pages. This exposure is limited to viewing source code only, and does not provide any opportunity for unauthorized clients to modify or otherwise corrupt JSP or jHTML code.

Q: Who is affected by this security advisory?

Only users of certain versions and configurations of BEA WebLogic Server running on Windows NT or 2000 may be affected.

The following versions of BEA WebLogic Server are NOT affected in the default configuration:
  • BEA WebLogic Server 4.5.2
  • BEA WebLogic Server 5.1.0
Anyone who is running the following versions of BEA WebLogic Server on Windows NT or Windows 2000 may be affected and should take the prescribed action:
  • BEA WebLogic Server 4.5.1
  • BEA WebLogic Server 4.0.x
  • BEA WebLogic Server 3.1.8
Q: What action should I take to protect my servers?

If you are running BEA WebLogic Server on any platform other than Microsoft Windows NT or Windows 2000, you are not affected by this advisory and do not need to take any action.

If you are running BEA WebLogic Server 4.5.2 or BEA WebLogic Server 5.1.0 on Microsoft Windows NT or Windows 2000, you are not affected by the advisory and do not need to take any action.

The following list identifies affected versions of BEA WebLogic Server and the recommended action:
  • Version: BEA WebLogic 4.5.1 for Windows NT or 2000
    • Status: Set to false by default
    • Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
  • Version: BEA WebLogic 4.0.4 for Windows NT or 2000
    • Status: Set to false by default
    • Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
  • Version: BEA WebLogic 3.1.8 for Windows NT or 2000
    • Status: False by default
    • Action: Apply patch found at:
      ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/318/caseSensitiveNTFix318.zip
For maximum security when running BEA WebLogic Server on Windows NT or Windows 2000, ensure that weblogic.httpd.servlet.extensionCaseSensitive is set to "true" in the weblogic.properties file as documented in: http://www.weblogic.com/docs51/admindocs/lockdown.html

Q: What if I am still using 4.01, 4.0.2 or 4.0.3?

A: You must upgrade to 4.0.4 and add weblogic.httpd.servlet.extensionCaseSensitive=true to the weblogic.properties file.

Q: How may I contact BEA for more information?

Customers and partners should contact support@bea.com. Analysts or the press may contact Christina Grenier at cgrenier@bea.com

Q: What is BEA's plan to inform customers of this security advisory?

A direct electronic mail is being sent to all of BEA WebLogic Server customers. BEA has also created a special mailing list for future distribution of security bulletins.

Q: How can I report a potential security issue to BEA for immediate analysis?

An email address has been created for reports of any possible security issues in BEA products: security-report@bea.com


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation