From: Oracle Corporation
Minor Subject: Patch Available for Access Control Vulnerability in BEA Tuxedo
Product(s) Affected: BEA Tuxedo 7.1
Threat Level: Medium
It has come to our attention that an anomaly in BEA Tuxedo could be used to expose a potential security vulnerability. This condition affects BEA Tuxedo version 7.1 on all supported platforms. BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following action:
I. Read the following advisory.
II. Apply the suggested action.
III.If you know of any additional users interested in future security advisories, please forward them the registration instructions below.
IV.If you would like to report a possible security issue in a BEA product, please send email to the BEA email address listed below.
A vulnerability has been identified in BEA Tuxedo version 7.1 that may potentially allow an unauthorized user to access a service in a remote Tuxedo domain. This is because a fault exists in the Domain gateway whereby the authorization checks, for all outgoing access to imported services and qspaces on remote domains, are not performed. This affects all Tuxedo Domain gateways, including the TDomain gateway, TOP END Domain Gateway and the BEA eLink Adapter for Mainframe products.
That is, when security is set to ACL or MANDATORY_ACL in the UBBCONFIG file for the application, and an Access Control List entry exists for a service (or services) imported through a Domain gateway, the Access Control List entry is ignored and all outgoing accesses to the imported service (or services) are permitted. Similarly if a plug-in security provider (such as ENTRUST) is in use, the authorization and auditing plug-ins in the Domain gateway are not called for outgoing requests to remote services. This affects imported services and imported qspaces.
II. SUGGESTED ACTION
BEA advises the following:
Version: BEA Tuxedo version 7.1
- Apply patch level 21 or later, to any Tuxedo node which imports remote services via the Domain gateway. Contact Oracle Customer Support (1-888-223-1711). For a complete list of Oracle Customer Support contact numbers, go to: http://www.oracle.com/support/contact.html.
Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at:
Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.
As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.
All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.
Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.
Security issues can be reported to Oracle by following the directions at: