Security Advisories and Notifications


Security Advisory: (BEA01-12.01)

From: Oracle Corporation

Minor Subject: Clarification in documentation for the CSR Generator Servlet for BEA WebLogic Server and BEA WebLogic Server Express

Product(s) Affected: BEA WebLogic Server Versions 4.5.1 through 6.1 Service Pack 1

The documentation for the CSR Generator Servlet has been updated to stress the importance of entering a random string into the Random String field. The documentation has been updated on the web site to provide a better description of the importance of this field. We strongly suggest the following action:


I. ADVISORY

Recently, a consultant with Finance online Gmbh reported that the documentation for the CSR Generator Servlet could lead to a potential security vulnerability in BEA WebLogic Server versions 4.5.1 through 6.1 Service Pack 1.

Certificate-based security relies on the computational difficulty of guessing the private key that corresponds to the public key stored in the certificate. The difficulty of guessing the private key is proportional to the randomness of the seed used for generating the public/private key pair. Using the Certificate Signature Request (CSR) Generator Servlet without a random string, or without a suitably large and random string can seriously decrease the difficulty of guessing the private key.

Note that the odds of an attacker actually guessing your private key, even if you did not use a random string, are extremely low. The attacker must know that you are using WebLogic Server or Express, know that you used the CSR Generator servlet and know that you did not enter an adequate random string.

This advisory covers the following releases of BEA WebLogic Server and Express:
  • Version: BEA WebLogic Server versions 4.5.1 through 6.1 Service Pack 1 on all supported platforms.
The CSR Generator Servlet was changed in WebLogic Server 6.1 Service Pack 2: seeding of the generator is handled by the Servlet code rather than soliciting the seed from the user.  This change is effective in WebLogic Server 7.0 and subsequent releases.


CAUSE

If no Random String is used when generating the certificate, the private key can be guessed using only a few weeks of CPU time.


II. SUGGESTED ACTION

BEA advises the following:

Version: BEA WebLogic Server 4.5.1 through 6.1 Service Pack 1 on all supported platforms.

Action: If you generated your certificate using the CSR Generator Servlet and did not supply a random string, then you should generate a new certificate. The documentation at the following links has been updated to emphasize the need to use the random string feature:


SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation