BEA Security Advisories Archive Page

This page contains references to all BEA Security Advisories up to April 2009 CPU. After the April 2009 CPU, all BEA security advisories will only be posted at http://www.oracle.com/technology/deploy/security/alerts.htm.

High Level Executive Summary for July 2008, October 2008, January 2009, and April 2009 Security Advisories Update (Critical Patch Update) for BEA products is available at http://www.oracle.com/technology/deploy/security/alerts.htm. All Oracle Critical Patch Updates and Security Alerts are available at http://www.oracle.com/technology/deploy/security/alerts.htm.

As a policy, if there are any security vulnerability related issues with any BEA product, Oracle generally distributes an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security vulnerability related issues clearly and openly.

Starting with Oracle's July 2008 Critical Patch Update:

  1. Security advisory information for BEA products will comply with the policy described at http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html.
  2. Security advisories for BEA products will use CVSS for scoring vulnerabilities as described at http://www.oracle.com/technology/deploy/security/cpu/cvssscoringsystem.htm. Threat and Severity Model will not be used in security advisory information for BEA products.
  3. Security advisories for BEA products will use Common Vulnerabilities and Exposure (CVE) identifiers rather than the previously used numbering convention (Vuln#) in the security advisory documentation. More details are available at http://www.oracle.com/technology/deploy/security/cpu/cpufaq.htm.

All Oracle JRockit security advisories released between August 2008 and April 2009 are tracked here.

The October 2008 CPU was the terminal Critical Patch Update for WebLogic Server/Express 6.1. As stated in the Oracle Lifetime Support policy, http://www.oracle.com/support/library/brochure/lifetime-support-technology.pdf, Extended Support for WebLogic Server/Express 6.1 was valid through November 2008.

Oracle has completed the acquisition of BEA and we are in the process of integrating BEA's operations. As a result of process changes, we expect former BEA customers to login to Oracle Support in order to download security advisory fixes.

Here is a summary of all BEA Security Advisories released up to the April 2009 CPU:

Date Number Title Type Threat * Severity ** CVSS Rating *** Products Affected ****
2009-04-14 CVE-2009-1016 Security vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers advisory - - 8.5 (high) WLS 10.3
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (SP6)
WLS 7.0 (SP7)
2009-04-14 CVE-2009-1012 Security vulnerability in WebLogic plug-ins for Apache and IIS Web servers advisory - - 10.0 (High) WLS 10.3
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (SP6)
WLS 7.0 (SP7)
2009-04-14 CVE-2009-1006 Multiple security vulnerabilities in Jrockit advisory - - 10.0 (High) R27.6.2 and earlier: JRE/JDK 6
JRE/JDK 5.0
SDK/JRE 1.4.2
2009-04-14 CVE-2009-1005 Elevation of privilege vulnerability in Oracle Data Service Integrator and AquaLogic Data Services Platform advisory - - 4.1 (Medium) ALDSP 10.3.0
ALDSP 3.2
ALDSP 3.0.1
ALDSP 3.0
2009-04-14 CVE-2009-1004 Strengthened WebLogic Server web services security advisory - - 4.0 (Low) WLS 10.3
2009-04-14 CVE-2009-1003 Source code disclosure in WebLogic Server web pages advisory - - 5.0 (Medium) WLS 10.3
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
2009-04-14 CVE-2009-1002 Elevation of privilege vulnerability in WebLogic Server advisory - - 5.8 (Medium) WLS 10.3
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (SP6)
WLS 7.0 (SP7)
2009-04-14 CVE-2009-1001 Elevation of privilege vulnerability in WebLogic Portal advisory - - 5.5(Medium) WLP 8.1 (-SP6)
2009-01-13 CVE-2008-5462 Elevation of privilege vulnerability in WebLogic Portal advisory - - 6.8 (Medium) WLP 10.3 GA
WLP 10.2 GA
WLP 10.0 (-MP1)
WLP 9.2 (-MP3)
WLS 8.1 (-SP6)
2009-01-13 CVE-2008-5461 Elevation of privilege vulnerability in WebLogic Console advisory - - 6.8 (Medium) WLS 10.3
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (SP6)
WLS 7.0 (SP7)
2009-01-13 CVE-2008-5460 Information disclosure vulnerability in JSP and servlets advisory - - 2.6 (Low) WLS 10.3 GA
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
2009-01-13 CVE-2008-5459 Security policy not enforced for WLS web services advisory - - 5.0 (Medium) WLS 10.3 GA
2009-01-13 CVE-2008-5457 Security vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers advisory - - 10.0 (High) WLS 10.3
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (SP6)
WLS 7.0 (SP7)
2008-10-14 CVE-2008-4013 Protected webapps may be displayed under certain conditions advisory - - 6.8 (Medium) WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (SP4 -SP6)
2008-10-14 CVE-2008-4012 Elevation of privilege vulnerability in some NetUI pageflows advisory - - 5.1 (Medium) WLW 8.1 (-SP5)
2008-10-14 CVE-2008-4011 Elevation of privileges for some applications advisory - - 2.1 (Low) WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
2008-10-14 CVE-2008-4010 Elevation of privilege vulnerability in some NetUI tags advisory - - 6.8 (Medium) WLW 10.3 GA
WLW 10.2 GA
WLW 10.0 (-MP1)
WLW 9.2 (-MP3)
WLW 9.1 GA
WLW 9.0 GA
WLW 8.1 (-SP6)
2008-10-14 CVE-2008-4009 Elevation of Privilege vulnerability if more than one authorizer is used advisory - - 5.1 (Medium) WLS 9.1
2008-10-14 CVE-2008-4008 Security vulnerability in WebLogic plug-in for Apache advisory - - 10.0 (High) WLS 10.3
WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2008-08-04 CVE-2008-3257 Patch available for security vulnerability in WebLogic plug-in for Apache advisory - - 10.0 (High) WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2008-07-15 CVE-2008-2582 Denial-of-Service vulnerability in WebLogic Server advisory - - 5.0 (Medium) WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
2008-07-15 CVE-2008-2581 Elevation of privilege vulnerabilities in the UDDI Explorer advisory - - 5.1 (Low) WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
2008-07-15 CVE-2008-2580 Information disclosure in JSP pages advisory - - 2.6 (Low) WLS 10.0 (-MP1)
WLS 9.2 (-MP3)
WLS 9.1
WLS 9.0
2008-07-15 CVE-2008-2579 Information disclosure vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers advisory - - 6.8 (Medium) Plugins prior to July 15th 2008
2008-07-15 CVE-2008-2578 Information Disclosure vulnerability in the WebLogic console or server log advisory - - 4.3 (Medium) WLS 10.0
WLS 9.2 (-MP1)
2008-07-15 CVE-2008-2577 Elevation of privilege vulnerability in the Console/WLST advisory - - 4.6 (Medium) WLS 9.2 MP1
2008-07-15 CVE-2008-2576 Information Disclosure vulnerability in the ForeignJMS component advisory - - 4.1 (Medium) WLS 9.2
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
2008-04-16 BEA08-201.00 Multiple Security Vulnerabilities in the Java Runtime Environment advisory High High 9.0 (High) BEA JRockit R27.5.0 or prior: JDK and JRE 6 Update 3 and earlier
BEA JRockit R27.5.0 or prior: JDK and JRE 5.0 Update 14 and earlier
BEA JRockit R27.5.0 or prior: SDK and JRE 1.4.2 Update 16 and earlier
2008-02-19 BEA08-183.00 Security policies on a WebLogic Portal Page can inadvertently be lost by an administrator performing certain editing operations on that page advisory Low Medium 2.1 (Low) WLP 8.1 (SP3-SP6)
2008-02-19 BEA08-184.00 An entitlement on an instance of a floatable portlet can be bypassed advisory Low Medium 4.3 (Medium) WLP 8.1 (-SP6)
2008-02-19 BEA08-185.00 Cross-site scripting (XSS) vulnerabilities in Web applications using WebLogic Workshop NetUI page flows advisory High High 7.6 (High) WLW 8.1 (-SP5)
2008-02-19 BEA08-186.00 BEA Plumtree Portal cross site scripting (XSS) vulnerability advisory Medium Medium 5 (Medium) BEA AquaLogic Interaction 6.1 (-MP1)
BEA Plumtree Foundation 6.0 (-SP1)
2008-02-19 BEA08-187.00 Web Service WSDL and policy is exposed to unauthenticated HTTP clients advisory Medium Low 2.6 (Low) WLS 9.1
WLS 9.0
2008-02-19 BEA08-188.00 JavaScript can be injected into the WLP Groupspace application and can allow for an XSS exploit advisory Medium Medium 4.0 (Low) WLP 10.0
WLP 9.2 (-MP1)
2008-02-19 BEA08-110.01 Cleartext database password in the config.xml file advisory Low Medium WLP 8.1 (-SP3)
WLP 7.0 (SP4 - SP7)
2008-02-19 BEA08-189.00 Cross-site scripting (XSS) vulnerabilities in Web applications using either WebLogic Workshop NetUI or Apache Beehive NetUI page flows advisory High High 6.8 (Medium) WLW 10.0
WLW 9.2 (-MP1)
WLW 9.1
WLW 9.0
WLW 8.1 (-SP6)
2008-02-19 BEA08-190.00 A WebLogic Portal Administration Console session can inadvertently redirect from https port to an http port advisory Medium High 8.8 (High) WLP 10.0
WLP 9.2 (-MP2)
2008-02-19 BEA08-191.00 Tampering HTML request headers could lead to an elevation of privileges advisory High Medium 6.4 (Medium) WLS 10.0
WLS 9.2 (-MP1)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS7.0 (-SP7)
WLS 6.1 (-SP7)
2008-02-19 BEA08-192.00 When content portlets are deleted from one of the portal’s pages, all entitlements are removed for the application advisory Low Medium 3.6 (Low) WLP 10.0
WLP 9.2 (-MP1)
2008-02-19 BEA08-193.00 Non-authorized user may be able to receive messages from a secured JMS Topic destination advisory Medium High 8.3 (High) WLS 10
WLS 9.2 (-MP1)
WLS 9.1
WLS 9.0
2008-02-19 BEA08-194.00 A non-authorized user may be able to send messages to a protected distributed queue advisory Medium High 8.3 (High) WLS 10
WLS 9.2 (-MP1)
WLS 9.1
WLS 9.0
2008-02-19 BEA08-195.00 Cross-site scripting vulnerability in Console’s Unexpected Exception Page advisory Medium High 6.1 (Medium) WLS 10.0
WLS 9.2 (-MP1)
WLS 9.1
WLS 9.0
2008-02-19 BEA08-196.00 A session fixation exploit could result in elevated privileges advisory Low High 6.8 (High) WLS 10.0
WLS 9.2 (-MP1)
WLS 8.1 (SP4 - SP6)
2008-02-19 BEA08-197.00 Account lockout can be bypassed, exposing the account to a brute-force password attack advisory Medium Medium 6.8 (Medium) WLS 10.0 (-MP1)
WLS 9.2 (-MP2)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
2008-02-19 BEA08-198.00 Multiple Security Vulnerabilities in Java Web Start and the Java Plug-in for browsers advisory Low Medium 2.4 (Low) BEA JRockit R24:JRockit R24.3-1.4.2_04 to R24.5-1.4.2_08
BEA JRockit R25: JRockit R25.0-1.5.0 to R25.2-1.5.0_03
2008-02-19 BEA08-80.04 Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities advisory High High WLS 10.0 (-MP1)
WLS 9.2 (-MP2)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2008-02-19 BEA08-159.01 Requests served through WebLogic proxy servlets may acquire elevated privileges advisory Medium High 5.6 (Medium) WLS 9.1
WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2008-02-19 BEA08-199.00 A carefully constructed URL may cause the Sun, IIS or Apache web-server to crash advisory High High 5.0 (Medium) Plug-ins dated prior to November 2007
2008-02-19 BEA08-200.00 Server files can be accessed by a remote user advisory High High 7.8 (High) BEA AquaLogic Collaboration 4.2 (-MP1)
BEA Plumtree Collaboration 4.1 (-SP2)
2007-12-12 BEA07-182.00 Application files and resources may be remotely accessed advisory Medium High 8 (High) WLMS 3.3
WLMS 3.5
WLMS 3.6 (-SP1)
2007-11-30 BEA07-181.00 BEA Plumtree Foundation search facility allows an unauthenticated guest user to search for user objects advisory Medium Medium 4.7 (Medium) BEA Plumtree Foundation 6.0
BEA AquaLogic Interaction 6.1
BEA AquaLogic Interaction 6.1 MP1
2007-11-30 BEA07-180.00 BEA Plumtree Foundation full version vulnerability advisory Low Low 2.3 (Low) BEA Plumtree Foundation 6.0
BEA AquaLogic Interaction 6.1
BEA AquaLogic Interaction 6.1 MP1
2007-11-30 BEA07-179.00 BEA Plumtree Foundation internal hostname disclosure vulnerability advisory Low Low 2.3 (Low) BEA Plumtree Foundation 6.0
BEA AquaLogic Interaction 6.1
BEA AquaLogic Interaction 6.1 MP1
2007-08-28 BEA07-178.00 Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition advisory High High 3.3 (Low) JRockit R27.3.1 or prior using 1.6 .0_1 or earlier
JRockit R27.3.1 or prior using 1.5.0 Updates 7, 8, 9, 10, and 11
JRockit R27.3.1 or prior using 1.4.2 Updates 11, 12, 13, and 14
2007-08-28 BEA07-177.00 Multiple Security Vulnerabilities in the Java Runtime Environment advisory High High 5.3 (Medium) JRockit R27.3.1 or prior using 1.6.0_1 or earlier
JRockit R27.3.1 or prior using 1.5.0 _11 or earlier
JRockit R27.3.1 or prior using 1.4.2 _14 or earlier
JRockit 7.0 SP6 RP1 or prior using JRE 1.3.1_20 or earlier
2007-08-28 BEA07-176.00 Server may select a cipher suite that uses a null cipher for SSL communication with SSL clients advisory Medium Medium 5.9 (Medium) WLS 10.0
WLS 9.2 (-MP1)
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
2007-08-28 BEA07-175.00 SSL clients may not find all possible cipher suites resulting in use of the default null cipher (no encryption) advisory Medium Medium 5.9 (Medium) WLS 10.0
WLS 9.2 (-MP2)
WLS 9.1
WLS 9.0
WLS 8.1 (SP2-SP6)
WLS 7.0 SP7
2007-08-28 BEA07-148.01 Malformed headers may cause high disk consumption advisory High Medium WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2007-08-28 BEA07-87.02 A malicious client can cause threads to hang on the server. advisory High High WLS 8.1 (-SP4)
WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2007-05-23 BEA07-164.01 Security policy may not be applied to WebLogic administration deployers when uploading archives advisory Medium High 4.8 (Medium) WLS 9.1
WLS 9.0
2007-05-14 BEA07-174.00 Non-trusted Applets may be able to elevate privileges advisory High High 8.0 (High) JRockit prior to R26.0.0 1.4.2_07
JRockit prior to R26.0.0 1.5.0_04
2007-05-14 BEA07-173.00 An Application started through Java Web Start may be able to elevate its privileges advisory Medium Medium 5.6 (Medium) JRockit prior to R26.0.0 1.4.2_07
JRockit prior to R26.0.0 1.5.0_04
2007-05-14 BEA07-172.00 Buffer Overflow in processing GIF images advisory High High 8.0 (High) JRockit prior to R26.0.0 1.4.2_07
JRockit prior to R26.0.0 1.5.0_04
2007-05-14 BEA07-171.00 Non-trusted Applets may be able to exploit serialization condition to elevate privileges advisory High High 8.0 (High) JRockit prior to R26.0.0 1.4.2_07
JRockit prior to R26.0.0 1.5.0_04
2007-05-14 BEA07-170.00 Exposure of filenames in development mode advisory Low Medium 3.3 (Low) WLI 9.2
WLI 8.1 (SP2-SP6)
2007-05-14 BEA07-169.00 WebLogic SSL may verify RSA Signatures incorrectly if the RSA key exponent is 3 advisory High Medium 5.6 (Medium) WLS 9.2
WLS 9.1
WLS 9.0
WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
2007-05-14 BEA07-168.00 An SSL port may be susceptible to a Denial of Service attack advisory Low Low 1.9 (Low) WLS 9.2
WLS 9.1
WLS 9.0
2007-05-14 BEA07-167.00 Inadvertent corruption of entitlements could result in unauthorized access to protected resources advisory Low Low 2.2 (Low) WLP 9.2
2007-05-14 BEA07-166.00 Cross-site scripting attacks in the WebLogic Portal Groupspace application advisory Low Medium 3.4 (Low) WLP 9.2
2007-05-14 BEA07-165.00 WebLogic JMS Message Bridge not enforcing proper credentials to access a protected queue advisory Medium Low 2.2 (Low) WLS 8.1 (-SP6)
WLS 7.0 (-SP7)
2007-05-14 BEA07-163.00 The WLST script generated by configToScript may not encrypt sensitive attributes when creating a new domain. advisory Low Medium 2.3 (Low) WLS 9.1
WLS 9.0
2007-05-14 BEA07-162.00 The WebLogic console may display certain Web Service sensitive attributes in clear text advisory Low Medium 2.3 (Low) WLS 9.0
2007-05-14 BEA07-161.00 WebLogic Server Embedded LDAP may be susceptible to a brute force attack advisory Medium High 5.6 (Medium) WLS 9.1
WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
2007-05-14 BEA07-160.00 Security policies may not be enforced on WebLogic JMS servers advisory Medium Medium 5.6 (Medium) WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2007-05-14 BEA07-158.00 The Tuxedo cnsbind cnsunbind and cnsls commands may echo sensitive information in clear text advisory Low High 2.9 (Low) Tuxedo 8.1
Tuxedo 8.0
WLE 5.1
2007-01-16 BEA07-157.00 Authorization checks may not be enforced in AquaLogic Service Bus proxy services advisory Medium Medium ALSB 2.5
ALSB 2.1
ALSB 2.0
2007-01-16 BEA07-156.00 Inadvertent corruption of WebLogic Portal entitlement policies. advisory Low High WLP 9.2
2007-01-16 BEA07-155.00 An overflow condition may occur in products using BEA JRockit advisory High High WLPL 8.1 (-SP5)
WLS 8.1 (-SP5)
JRockit 1.4.2 R24.5
2007-01-16 BEA07-154.00 Upgrade and patch are available to disable users in Active Directory LDAP server advisory Medium High ALES 2.2
ALES 2.1 (-SP1)
ALES 2.0 (-SP2)
2007-01-16 BEA07-153.00 Audit events may be posted with incorrect severity. advisory Low Medium ALES 2.2
ALES 2.1 (-SP1)
ALES 2.0 (-SP2)
2007-01-16 BEA07-152.00 Multiple vulnerabilities in WebLogic Server proxy plug-in for Netscape Enterprise Server advisory High High WLS Netscape Enterprise Server proxy plug-in
2007-01-16 BEA07-151.00 Inadvertent removal of access restrictions advisory Low High WLP 9.2
2007-01-16 BEA07-150.00 A Denial of Service attack is possible against a WebLogic Server running on Solaris 9 advisory High High WLS 9.2
WLS 9.1
WLS 9.0
2007-01-16 BEA07-149.00 Security policy changes may not be seen by managed server. advisory Medium Medium WLS 9.1
2007-01-16 BEA07-147.00 Malformed HTTP requests may reveal data from previous requests advisory High Low WLS 9.1
WLS 9.0
2007-01-16 BEA07-146.00 Denial-of-service vulnerability in the proxy plug-in for Apache web server. advisory High High WLS Apache plug-in
2007-01-16 BEA07-145.00 Permissions on EJB methods with array parameters may not be enforced advisory Medium Low WLS 9.1
WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
2007-01-16 BEA07-144.00 Some EJB calls can be unintentionally executed with administrative privileges when using WebLogic Server 6.1 compatibility realm advisory Medium High WLS 9.1
WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP7)
2007-01-16 BEA07-143.00 WS-Security runtime fails to enforce decryption certificate advisory Low Low WLS 9.1
WLS 9.0
2007-01-16 BEA07-142.00 Dynamic updates to applications deployed as exploded jars may result in incorrect access checking advisory Medium Medium WLS 8.1 (-SP5)
2007-01-16 BEA07-141.00 Socket muxer threads may block when processing error pages under load. advisory Low High WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2007-01-16 BEA07-140.00 Sensitive attributes may be stored in clear-text after offline configuration advisory Low Medium WLS 8.1 (-SP5)
2007-01-16 BEA07-139.00 Application files are exposed when deploying via .ear or exploded .ear files. advisory High High WLS 8.1 (-SP5)
WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2007-01-16 BEA07-138.00 Problem with certificate validation on WebLogic web service clients advisory High Low WLS 9.1
WLS 9.0
WLS 8.1 (-SP5)
2007-01-16 BEA07-137.00 Incorrect thread management may lead to server unavailability. advisory High High WLS 9.1
WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
2007-01-16 BEA07-136.00 JDBCDataSourceFactory MBean password field not encrypted advisory Low Medium WLS 9.0
WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2007-01-16 BEA07-135.00 Certificate validation condition in WebLogic Server advisory Medium Medium WLS 8.1 (-SP4)
2007-01-16 BEA07-134.00 SSL libraries may be vulnerable to unauthorized information disclosure advisory Low Medium WLS 8.1 (-SP5)
WLS 7.0 (-SP7)
WLS 6.1 (-SP7)
2007-01-16 BEA07-125.01 Internal network information may be externally visible advisory Low Low WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2007-01-16 BEA07-107.02 Too many invalid login attempts allowed. advisory High Medium WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
2007-01-16 BEA07-75.01 Users granted the Monitor security role have permission to configure JDBC connection pools. advisory Low Medium WLS 8.1 (SP2-SP4)
2007-01-16 BEA07-60.01 Patches are available to protect user authorizations. advisory Low Medium WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2006-05-15 BEA06-133.00 Sensitive internal system data may be exposed on the wire. advisory Medium High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2006-05-15 BEA06-132.00 Incorrect Quality of Service on some transaction coordination advisory Medium Low WLS 8.1 (-SP3)
2006-05-15 BEA06-131.00 Recovering admin password can leave cleartext password on disk advisory Low High WLS 8.1
2006-05-15 BEA06-130.00 JSP showcode vulnerability advisory Low Low WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2006-05-15 BEA06-129.00 Console displays the WebLogic Server IP address advisory Medium Low WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-05-15 BEA06-128.00 Domain name is exposed on Console login form advisory Low Low WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2006-05-15 BEA06-127.00 WebLogic Server HTTP handlers log username and password on failure advisory Low Low WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-05-15 BEA06-126.00 Console incorrectly set JDBC policies advisory Low Low WLS 9.0
2006-05-15 BEA06-125.00 Internal network information may be externally visible advisory Low Low WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-05-15 BEA06-124.00 Applications installed on WebLogic Server can obtain private keys advisory Low Low WLS 9.1
WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-05-15 BEA06-121.00 The stopWebLogic.sh script echoes the system password on UNIX advisory Low High WLPL 8.1 (-SP2)
WLPL 7.0 (-SP5)
2006-05-15 BEA06-120.01 A default internal servlet allowed local file system access advisory High High WLS 6.1 (-SP7)
2006-05-15 BEA06-114.01 Application code installed on a server may be able to decrypt passwords advisory Low High WLS 9.0
WLS 8.1 (-SP4)
2006-05-15 BEA06-81.02 Anonymous binds to the embedded LDAP server are allowed. advisory High High WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
2006-03-20 BEA06-123.00 Certain XML documents can cause “server out of memory” errors. advisory High High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-03-20 BEA06-122.00 JSR-168 Portlets may be rendered to an unauthorized user advisory High Medium WLP 8.1 (-SP5)
2006-03-20 BEA06-111.01 The server log may be remotely viewable. advisory High Low WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-03-20 BEA06-105.01 Certain HTTP requests may be used to launch HTTP Request Smuggling attacks on the server. advisory Medium High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-01-23 BEA06-119.00 Console applies incorrect JNDI policies. advisory Medium Medium WLS 9.0
2006-01-23 BEA06-118.00 Server's SSL identity not properly protected from applications. advisory Low Medium WLS 8.1 SP5
2006-01-23 BEA06-117.00 Using a connection filter can cause the server to slow down advisory Medium High WLS 9.0
WLS 8.1 (-SP5)
WLS 7.0 (-SP6)
2006-01-23 BEA06-116.00 Non-active security provider appears active. advisory Low Low WLS 9.0
2006-01-23 BEA06-115.00 A patch is available to enforce access to only specific resources. advisory High High WLP 8.1 SP3, SP4, SP5
2006-01-23 BEA06-113.00 Changed passwords may show up in audit log advisory Medium High WLS 8.1 (-SP4)
2006-01-23 BEA06-112.00 An application's deployment descriptor source is visible. advisory High Medium WLP 8.1 (-SP4)
2006-01-23 BEA06-109.00 Multiple MBean vulnerabilities. advisory High High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2006-01-23 BEA06-108.00 Documentation is available describing securing multiple-domains managed from one instance of the WebLogic Server Administration Console. advisory Low High WLS 7.0
WLS 6.1
2006-01-23 BEA06-106.01 Requests for a servlet doing relative forwarding may result in a Denial-of-Service (DOS) attack. advisory High Medium WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2005-10-10 BEA05-85.00 Client/server communications that do not specify a user are not protected by the SSL protocol correctly. advisory Medium High WLS 8.1 (-SP3)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2005-10-10 BEA05-86.00 In specific circumstances, client/server communications are not using the SSL connection as expected advisory Medium High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2005-10-10 BEA05-88.00 A Deployed application can change privileges from Deployer to Admin. advisory Low High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2005-10-10 BEA05-89.00 Audit events may be posted with incorrect severity. advisory Low Medium WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2005-10-10 BEA05-90.00 A patch is available to prevent users from accessing machine information behind a firewall. advisory Medium Low WLS 8.1 (-SP3)
2005-10-10 BEA05-91.00 The passphrase for the Trust keystore appears in clear text in the nodemanager.config file. advisory Low Medium WLS 8.1 (-SP3)
2005-10-10 BEA05-92.00 Principals from a derived Principal class may not be fully validated. advisory Low High WLS 8.1 (-SP4)
WLS 7.0 (-SP5)
2005-10-10 BEA05-93.00 Servlet security constraint fails to properly protect root advisory High Medium WLS 8.1 (-SP3)
WLS 7.0 (-SP5)
2005-10-10 BEA05-94.00 The local file system may be accessed remotely by a user granted the Admin security role. advisory Medium Medium WLS 8.1 (-SP3)
2005-10-10 BEA05-95.00 Exporting security policies from one operating system and importing to another operating system can lead to servlets being unprotected. advisory Low Medium WLS 8.1
WLS 7.0
2005-10-10 BEA05-96.00 The passphrase for the private key used in the configuration of SSL appears in cleartext when creating a WebLogic Server domain using the Configuration Wizard. advisory Low Medium WLS 8.1 (-SP3)
2005-10-10 BEA05-97.00 Servlet resources may not be fully protected when using fullyDelegateAuthorization mode in the Administration Console. advisory Low Medium WLS 8.1 (-SP3)
WLS 7.0 (-SP5)
2005-10-10 BEA05-98.00 Sensitive system properties values are displayed in the server log. advisory Low High WLS 8.1 (-SP4)
WLS 7.0 (-SP5)
WLS 6.1 (-SP7)
2005-10-10 BEA05-99.00 The password used to boot the server may appear in clear text in the Windows registry. advisory Low High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2005-10-10 BEA05-100.00 A password might be exposed in some Subjects constructed by the IIOP protocol advisory Low High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
WLS 6.1 (-SP7)
2005-10-10 BEA05-101.00 The documentation has been updated to recommend multiple administrator accounts. advisory High Medium WLS 9.0
WLS 8.1
WLS 7.0
2005-10-10 BEA05-102.00 In specific circumstances, weblogic.Deployer communication with the Administration server could be compromised. advisory Medium High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2005-10-10 BEA05-103.00 Multicast data is not encrypted. advisory Medium Medium WLS 8.1 (-SP4)
WLS 7.0 (-SP5)
2005-10-10 BEA05-104.00 Auditing of MBean configuration changes may stop. advisory Low Medium WLS 8.1 (-SP4)
2005-08-22 BEA05-84.00 A patch is available to enforce correct access restrictions. advisory High High WLP 8.1 (-SP4)
2005-08-15 BEA05-61.01 A patch is available to prevent Denial of Service attack advisory High High WLS 8.1 (-SP2), SP4
2005-08-15 BEA05-83.00 JCE 1.2.1 cert will expire 7/27/2005 notification WLS 7.0, WLPL 7.0
2005-05-24 BEA05-52.02 Patches are available to prevent unintended system administrator privileges advisory Very Low Medium WLS 8.1 (-SP2)
WLS 7.0 (-SP4)
2005-05-24 BEA05-72.01 Upgrade and patch are available to disable users in Active Directory LDAP server advisory Medium High WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
2005-05-24 BEA05-74.01 Login exceptions may give clues as to why a login attempt failed. advisory High High WLS 8.1 (-SP4)
WLS 7.0 (-SP6)
2005-05-24 BEA05-75.00 A patch is available to restrict access to JDBC connection pools from users granted the Monitor security role advisory Low Medium WLS 8.1 SP2, SP3
2005-05-24 BEA05-76.00 WebLogic Server fails to audit and correctly handle exceptions generated by security providers advisory Medium High WLS 8.1 (-SP3)
WLS 7.0 (-SP5)
2005-05-24 BEA05-77.00 User was not logged out when a Web application was redeployed advisory Low Medium WLS 7.0 (-SP5)
2005-05-24 BEA05-78.00 Incorrect password from failed login attempt echoed to standard output advisory Low Medium WLP 8.1 (-SP3)
2005-05-24 BEA05-79.00 Incorrect cookie data may impact cluster performance advisory High High WLS 7.0 (-SP5)
2005-05-24 BEA05-82.00 Denial of Service attack advisory High High WLS 6.1 SP4
2005-03-28 BEA05-51.01 Patches available to protect password advisory Low High WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
WLS 6.1 (-SP6)
2004-09-13 BEA04-70.00 Patches are available to protect Server version information advisory Low Low WLS 8.1 (-SP3)
WLS 7.0 (-SP5)
WLS 6.1 (-SP6)
2004-09-13 BEA04-67.00 Upgrade and patches are available to prevent a showcode vulnerability advisory Low Low WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
WLS 6.1 (-SP6)
2004-09-13 BEA04-65.00 Patches are available to prevent unauthorized access advisory Medium High WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
WLS 6.1 (-SP6)
2004-09-13 BEA04-71.00 Upgrade and patch are available to ensure complete security role and policy deployment advisory Low Medium WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
2004-09-13 BEA04-73.00 Documentation is available to configure the server for encryption of administrative data. advisory Low High WLS 8.1 (all)
WLS 7.0 (all)
2004-09-13 BEA04-68.00 Patches are available to assist in securing passwords in scripts using the WebLogic Server command-line utilities and Administrative ant tasks notification WLS 8.1 (-SP2)
WLS 7.0 (-SP4)
WLS 6.1 (-SP6)
2004-09-13 BEA04-66.00 Patches are available to prevent unauthorized access to Administrator commands advisory Medium Medium WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
2004-09-13 BEA04-69.00 Upgrade and patches are available to protect password advisory Low High WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
WLS 6.1 (-SP6)
2004-06-28 BEA04_64.00 Patches available to protect Web Applications advisory Low Low WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
2004-06-28 BEA04_63.00 Patch available to prevent arbitrary file access and possible disk space exhaustion advisory High High WLPL 8.1 (-SP2)
2004-06-14 BEA04_62.00 A remedy is available to prevent unexpected user identity advisory Low Low WLS 8.1 (all)
WLS 7.0 (all)
WLS 6.1 (all)
2004-05-11 BEA04_60.00 Patches are available to protect user authorizations. advisory Low Medium WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
2004-05-11 BEA04_59.00 Patches are available to prevent unintended access to web applications. advisory Low High WLS 8.1 (-SP2)
WLS 7.0 (-SP5)
2004-04-20 BEA04_56.00 Upgrades available to correct servlet security error advisory Low High WLS 8.1 (-SP1)
WLS 7.0 (-SP4)
2004-04-20 BEA04_58.00 Patch available to protect passwords advisory Low High WLS 8.1 (-SP2)
2004-04-20 BEA04_57.00 Upgrade & patches available to prevent EJB objects being deleted without required permission advisory Low High WLS 8.1 (-SP2)
WLS 7.0 (-SP4)
WLS 6.1 (-SP6)
2004-04-13 BEA04_53.00 Patches are available to prevent password exposure advisory Low High WLS 8.1 (-SP2)
WLS 7.0 (-SP4)
WLS 6.1 (-SP6)
2004-04-13 BEA04_54.00 Patches available to prevent user impersonation advisory Medium High WLS 8.1 (-SP2)
WLS 7.0 (-SP4)
2004-04-13 BEA04_55.00 Patches available to prevent to password exposure advisory Low High WLS 8.1 (-SP2)
WLS 7.0 (-SP4)
2004-03-10 BEA04_43.01 Workaround available to prevent MBean exposure advisory Low Low WLS 8.1 (all)
WLS 7.0
WLS 6.1 (all)
2004-02-19 BEA04_48.01 Patches available to prevent compromise of user accounts advisory Low High WLS 8.1 (-SP2)
WLS 7.0 (-SP4)
WLS 6.1 (-SP6)
WLS 5.1 (-SP13)
2004-01-26 BEA04_49.00 Upgrade available to protect Administrative permissions advisory Low High WLS 8.1 (-SP1)
2004-01-26 BEA04_47.00 Patch and upgrade available to prevent SSL Certificate re-use advisory Low Medium WLS 7.0 (-SP4)
2004-01-26 BEA04_50.00 Upgrade available to protect password advisory Low High WLS 8.1 (-SP1)
2004-01-12 BEA04-45.00 Upgrade recommended to prevent Denial of Service advisory High High WLS 7.0 (-SP4)
WLS 6.1 (-SP5)
WLS 5.1 (-SP13)
2004-01-12 BEA04-46.00 Upgrade available to protect password advisory Low High WLS 8.1 (-SP1)
2003-12-30 BEA03-44.00 Expiration of CA certificates notification WLS
2003-11-11 BEA03-39.00 Remedies available to prevent Denial of Service advisory High High WLS 8.1 (-SP1)
WLS 7.0 (-SP4)
WLS 6.1 (-SP5)
2003-11-11 BEA03-40.00 Patches available to prevent unintended use of nonencrypted connection advisory Low Low WLS 8.1 (-SP1)
WLS 7.0 (-SP4)
2003-11-11 BEA03-42.00 Patches available to protect Node Manager advisory Low Low WLS 8.1 (-SP1)
WLS 7.0 (-SP4)
WLS 6.1 (-SP5)
2003-11-11 BEA03-41.00 Patches available to protect password advisory Low Low WLS 8.1 (-SP1)
2003-11-11 BEA03-43.00 Workaround available to prevent Mbean exposure advisory Low Low WLS 8.1 (-SP1)
WLS 7.0 (-SP4)
WLS 6.1 (-SP5)
2003-10-29 BEA03-38.00 Patch available to prevent BEA Tuxedo Administration Console vulnerability advisory Low Medium Tuxedo 8.1
Tuxedo 8.0
Tuxedo 7.1
Tuxedo 6.5
Tuxedo 6.4
Tuxedo 6.3
WebLogic Enterprise 5.1
WebLogic Enterprise 5.0.1
WebLogic Enterprise 4.2
2003-08-27 BEA03-37.00 Patch available to prevent unintentional access to the machine's file system over a Web browser. advisory Medium High WLI-BC 8.1
2003-08-20 BEA03-14.06 Patch available for DOS attack advisory Low High WLS 7.0 (-SP1)
WLS 6.1 (-SP3)
WLS 6.0 (-SP2RP3)
WLS 5.1 (-SP12)
2003-08-20 BEA03-36.01 Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities. advisory Low High WLI 7.0 (-SP2)
WLI 2.1
LD 1.1
WLS 7.0 (-SP3)
WLS 6.1 (-SP5)
WLS 5.1
2003-07-30 BEA03-35.00 Patch available to safeguard current user identity advisory Medium High WLS 7.0 SP3
2003-07-08 BEA03-33.00 Patches available to prevent operators from gaining administrative access advisory Low High WLS 8.1
WLS 7.0 (-SP2)
2003-07-08 BEA03-34.00 Patches available to protect password advisory Low Low WLS 7.0 (-SP2)
WLS 6.1 (-SP5)
2003-07-08 BEA03-32.00 Patch available to prevent unauthorized access to the console advisory Low Low WLS 7.0 (-SP2)
2003-07-08 BEA03-28.01 Patches available to prevent non-privileged accounts to access application resources advisory Medium High WLS 8.1
WLS 7.0 (-SP2)
WLS 6.1 (-SP4)
WLS 6.0 (-SP2RP3)
2003-05-12 BEA03-30.00 Patch available to prevent clear-text passwords advisory Low Medium WLS 7.0 (-SP2)
2003-05-12 BEA03-31.00 Patches available to prevent invalid SSL certificate chain vulnerability advisory Medium High WLS 7.0 (-SP1)
WLS 6.1 (-SP4)
WLS 5.1 (-SP13)
WLE 5.1
WLE 5.0.1
Tuxedo 8.1
Tuxedo 8.0
2003-03-17 BEA03-29.00 Remedy available to prevent deletion of subcontexts advisory Low Low WLS 7.0(-SP1)
2003-03-17 BEA03-27.00 Remedy available to prevent access to a web application without re-authentication advisory Low Low WLS 7.0 (-SP2)
2003-03-17 BEA03-26.01 Patch available to prevent session sharing advisory Low High WLS 7.0 (-SP2)
WLS 6.1 (-SP4)
WLS 6.0 (-SP2RP3)
WLS 5.1 (-SP13)
2003-01-28 BEA03-25.00 Patch available to protect password advisory Low High WLS 7.0 (-SP1)
2003-01-10 BEA03-24.00 Patch available to protect password advisory Low Low WLS 7.0 (-SP1)
2002-12-13 BEA02-23.01 Patch available to prevent DOS attack through XML parsing advisory Low Low WLI 7.0 (-SP1)
WLI 2.1
WLS 7.0 (-SP1)
WLS 6.1 (-SP4)
WLS 6.0 (-SP2RP3)
2002-10-15 BEA02-22.00 Patch available to prevent policy roles and mappings from being ignored in WebLogic Integration 7.0 or in WebLogic Server 7.0 Service Pack 1 advisory High High WLS 7.0 (-SP1)
2002-10-01 BEA02-21.00 Upgrade to prevent inadvertent removal of security from Servlets or EJBs advisory Low High WLS 7.0
2002-09-27 BEA02-20.00 Upgrades to prevent data sharing advisory Low Medium WLS 7.0
WLS 6.1 (-SP2)
2002-07-03 BEA02-19.00 Patch available to prevent DOS attack advisory WLS 7.0
WLS 6.1 (-SP3)
WLS 6.0 (-SP2RP3)
WLS 5.1 (-SP12)
2002-05-10 BEA02-18.00 Patch available to protect password exposure using SNMP Agent advisory Low WLS 5.1 (-SP12)
2002-05-09 BEA02-17.00 Patch available to prevent viewing of file contents advisory WLS 6.1 -SP2)
WLS 6.0 (-SP2RP3)
WLS 5.1 (-SP12)
WLS 4.5.2 (-SP2)
WLS 4.5.1 (-SP15)
2002-04-22 BEA02-03.03 Patch available for Show Code Vulnerability advisory WLS 6.1 (-SP2)
WLS 6.0 (-SP2RP3)
WLS 5.1 (-SP11)
WLS 4.5.2 (-SP2)
WLS 4.5.1 (-SP14)
2002-04-22 BEA02-16.01 Patch available for SNMP implementation vulnerability advisory WLS 6.1 (-SP2)
WLS 5.1 (-SP11)
2002-01-31 BEA02-15.00 Patch available to protect password advisory Low WLS 6.1 (-SP2)
2002-01-10 BEA02-13.00 Patch Available for Unintended Permissions advisory WLS 6.1 (-SP1)
WLS 6.0 (-SP2)
WLS 5.1 (-SP10)
WLS 4.5.2 (-SP2)
WLS 4.5.1 (-SP15)
2001-11-09 BEA01-12.01 Clarification in documentation for the CSR Generator Servlet for BEA WebLogic Server and BEA WebLogic Server Express advisory WLS 6.1 (all)
WLS 5.1 (all)
WLS 4.5.2 (all)
WLS 4.5.1 (all)
2001-06-22 BEA01-11.00 Fix available for Administrative Configuration Vulnerability advisory WLS 6.0 (-SP1)
2001-05-09 BEA01-10.00 Patch Available for TDomain gateway Vulnerability in BEA Tuxedo advisory Medium Tuxedo 6.3
Tuxedo 6.4
Tuxedo 6.5
Tuxedo 6.5.1
Tuxedo 7.1
Tuxedo 7.1.1
WLE 4.2
WLE 5.0
WLE 5.1
2001-03-27 BEA00-09.00 Patch Available for Default Settings of Directory Indexing advisory Low WLS 6.0
2001-03-19 BEA00-08.00 Patch Available for Access Control Vulnerability in BEA Tuxedo advisory Medium Tuxedo 7.1
2000-08-14 BEA00-05.01 Patch for buffer overflow in WLS Proxy Plug-In advisory Low WLS 5.1 (-SP4)
WLS 4.5.2
WLS 4.5.1 (-SP10)
2000-07-31 BEA00-04.00 Compilation and Execution of Arbitrary Files in Web Document Root Directory advisory WLS 5.1 (all)
2000-06-12 BEA00-01.00 Vulnerability in Default httpd.servlet configuration (Windows and NT only) advisory WLS 4.5.1 (all)
WLS 4.0.4 (all)
WLS 3.1.8 (all)
2000-06-12 BEA00-02.00 Vulnerability in Default File Servlet configuration advisory WLS 5.1 (all)
WLS 4.5.2 (all)
WLS 4.5.1 (all)
WLS 4.0.4 (all)
WLS 3.1.8 (all)

* Threat: The location from which an attack may be launched: "High" indicates a vulnerability that is remotely exploitable; a "Low" threat is a vulnerability that requires local access to the product.

** Severity: The extent of the potential impact: "High" indicates the integrity/availability/confidentiality of the product may be seriously compromised, "Low" indicates a less significant impact on the product's integrity/availability/confidentiality.

*** CVSS Rating: Common Vulnerability Scoring System (CVSS) is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities.

**** In this column, WLPL denotes WebLogic Platform, WLS denotes WebLogic Server and Express, WLI denotes WebLogic Integration, WLE denotes WebLogic Enterprise, LD denotes Liquid Data.

When a vulnerability exists in specific Service Packs, they are specified: for example, WLS 6.1 (-SP2) means that the vulnerability exists in the initial release of WebLogic Server and Express 6.1, as well as in Service Packs 1 and 2. WLS 6.1 means the vulnerability exists in the initial release of WebLogic Server and Express only. WLS 6.1 (all) means that the vulnerability exists in all versions of WebLogic Server and Express 6.1.