Security Advisories and Notifications


Subject: Security Advisory (BEA08-200.00)
From: Oracle Corporation
Minor Subject: Server files can be accessed by a remote user
Product(s) Affected: BEA AquaLogic Collaboration 4.2; BEA Plumtree Collaboration 4.1;

Threat level: High
Exploiting this involves using the URL for a Collaboration download servlet and changing a paramter in order to access files from known locations on the Collaboration machine.

Severity: High
A user could view or download system files on the machine where Collaboration is installed.

A problem was identified that could potentially cause a security vulnerability in certain versions of the BEA AquaLogic Collaboration and BEA Plumtree Collaboration. Patches are available to correct this problem (see Section II). Oracle treats potential security problems with a high degree of urgency and endeavors to take appropriate steps to help ensure the security of our customers’ systems. As a result, Oracle strongly suggests the following actions:

I. Read the following advisory.
II. Apply the suggested action.
III. If you know of any additional users interested in future security advisories, please forward them the registration instructions included in this advisory.

I. Advisory

Background: A download servlet is used by Collaboration in three areas:

  • To allow administrators to view the collaboration.log.
  • To download .zip files created via the zip download feature.
  • To download task lists exported to MS project format.


A knowledgeable attacker could access the internal servlet and use it to view or download files on the collaboration machine, including system files.

This advisory corrects this issue by providing patches that are required to secure Collaboration against using the servlet to download files that are not part of the features above.

Impact and CVSS Ratings:

CVSS Severity Score: 7.8 (High)
Attack Range (AV): Network
Attack Complexity (AC): Low
Authentication Level (Au): None
Impact Type: Complete Confidentiality impact
Vulnerability Type: Information Disclosure
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
Online Calculator: http://nvd.nist.gov/cvss.cfm?calculator

The following versions of BEA AquaLogic Interaction and BEA Plumtree Foundation are affected by this vulnerability

  • BEA Plumtree Collaboration 4.1 through Service Pack 2 on all platforms.
  • BEA AquaLogic Interaction 4.2 through Maintenance Pack 1 on all platforms.

II. SUGGESTED ACTION

Oracle strongly recommends the following course of actions for the following versions of BEA Plumtree Foundation and BEA AquaLogic Interaction:

BEA AquaLogic Collaboration 4.2

  1. Upgrade to BEA AquaLogic Collaboration 4.2 MP1.
  2. Download and apply the AquaLogic Collaboration 4.2.1.317490 patch #7825102 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch
  3. Follow the instructions in the readme inside the zip file to install the patch.

BEA Plumtree Collaboration 4.1

  1. Upgrade to BEA Plumtree Foundation 4.1 SP2.
  2. Download and apply the Plumtree Foundation 4.1.2.317491 patch #7825093 from OracleMetaLink as per the instructions below:
    • Select the Patches and Updates tab after logging in to OracleMetaLink.
    • Click Simple Search.
    • In the Search By field, select Patch Number from the list.
    • Enter the patch number. The patch number may be different for different product releases and platforms.
    • Select the platform (or choose generic as applicable)
    • Click Go.
    • Click Download to download the patch.
  3. Follow the instructions in the readme inside the zip file to install the patch.


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation