From: BEA Systems Inc.
Minor Subject: Security Configuration Advisory - BEA WebLogic Server
Product(s) Affected: BEA WebLogic Server and Express
It has come to our attention that there is a common misconfiguration that has the potential to lead to a security vulnerability in certain versions of BEA WebLogic Server on the Microsoft Windows NT and Windows 2000 platform. No other platforms are affected. BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following actions.
I. Read the following advisory.
II. If you are interested in future security advisories, please follow the directions below to register and verify your contact information
III. See the Frequently Asked Questions
I. ADVISORY
Last week, Foundstone, Inc., ( www.foundstone.com) a security consulting and training firm, reported the following issue on the Microsoft Windows NT and 2000 platform:
Check the following property in the weblogic.properties file:
weblogic.httpd.servlet.extensionCaseSensitive
In certain versions of BEA WebLogic Server, the default of this property is set to "false". For maximum security, as documented in our security lockdown documentation at:
http://www.weblogic.com/docs51/admindocs/properties.html
http://www.weblogic.com/docs51/admindocs/lockdown.html
set weblogic.httpd.servlet.extensionCaseSensitive to "true", or add the following line to your Weblogic.properties file:
weblogic.httpd.servlet.extensionCaseSensitive=true
BEA strongly recommends the following course of actions:
Review the following matrix to determine the appropriate course of action for your version of BEA WebLogic Server.
- Version: BEA WebLogic 5.1 for Windows NT and 2000
-
- Status: Set to true by default
- Action: None
- Version: BEA WebLogic 4.5.2 for Windows NT and 2000
- Status: Set to true by default
- Action: None
- Version: BEA WebLogic 4.5.1 for Windows NT and 2000
-
- Status: Set to false by default
- Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
- Version: BEA WebLogic 4.0.4 for Windows NT and 2000
-
- Status: Set to false by default
- Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
- Version: BEA WebLogic 3.1.8 for Windows NT and 2000
-
- Status: Set to false by default
- Action: Action: Apply patch found at:
ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/318/caseSensitiveNTFix318.zip
II. FUTURE SECURITY COMMUNICATIONS
As a policy, if there are any security related issues with any BEA product, BEA will distribute an alert and instructions with the appropriate course of action. Because the security of your site, data, and code are our highest priority, we feel strongly that all security related issues are clearly and openly communicated. We encourage you, or those responsible for security related issues at your site to register with us so we can directly communicate future advisories.
All previous advisories can be viewed at http://dev2dev.bea.com/advisoriesnotifications/.
BEA is establishing a new, permission-based emailing list specifically targeted for product security advisories. As a policy, if a user has opted-in to our emailing list and there are any security issues with the BEA product(s) he/she is using, BEA will distribute an advisory and instructions via email with the appropriate course of action.
You have received this message because you have opted in for BEA WebLogic Security Advisories. Thank you for registering with us.
IN ORDER TO MAKE SURE THAT WE HAVE THE APPROPRIATE CONTACT INFORMATION FOR SECURITY RELATED ISSUES, PLEASE REGISTER AT THE FOLLOWING URL: http://contact2.bea.com/bea/www/advisories/login.jsp
If you have any questions, please contact BEA Technical Support at support@bea.com
Thank you,
BEA Systems, Inc.
III. FREQUENTLY ASKED QUESTIONS
Q: What is the nature of this security advisory?
In certain configurations of BEA WebLogic Server running on Windows NT and 2000, unauthorized clients may be able to view source code for JSP and jHTML pages. This exposure is limited to viewing source code only, and does not provide any opportunity for unauthorized clients to modify or otherwise corrupt JSP or jHTML code.
Q: Who is affected by this security advisory?
Only users of certain versions and configurations of BEA WebLogic Server running on Windows NT or 2000 may be affected.
The following versions of BEA WebLogic Server are NOT affected in the default configuration:
- BEA Weblogic Server 4.5.2
- BEA Weblogic Server 5.1.0
- BEA WebLogic Server 4.5.1
- BEA WebLogic Server 4.0.x
- BEA WebLogic Server 3.1.8
If you are running BEA WebLogic Server on any platform other than Microsoft Windows NT or Windows 2000, you are not affected by this advisory and do not need to take any action.
If you are running BEA WebLogic Server 4.5.2 or BEA WebLogic Server 5.1.0 on Microsoft Windows NT or Windows 2000, you are not affected by the advisory and do not need to take any action.
The following list identifies affected versions of BEA WebLogic Server and the recommended action:
- Version: BEA WebLogic 4.5.1 for Windows NT or 2000
-
- Status: Set to false by default
- Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
- Version: BEA WebLogic 4.0.4 for Windows NT or 2000
-
- Status: Set to false by default
- Action: Set weblogic.httpd.servlet.extensionCaseSensitive=true
- Version: BEA WebLogic 3.1.8 for Windows NT or 2000
-
- Status: False by default
- Action: Apply patch found at:
ftp://anonymous:dev2dev%40bea.com@ftpna.bea.com/pub/releases/318/caseSensitiveNTFix318.zip
Q: What if I am still using 4.01, 4.0.2 or 4.0.3?
A: You must upgrade to 4.0.4 and add weblogic.httpd.servlet.extensionCaseSensitive=true to the weblogic.properties file.
Q: How may I contact BEA for more information?
Customers and partners should contact support@bea.com. Analysts or the press may contact Christina Grenier at cgrenier@bea.com
Q: What is BEA's plan to inform customers of this security advisory?
A direct electronic mail is being sent to all of BEA WebLogic Server customers. BEA has also created a special mailing list for future distribution of security bulletins. You can subscribe to this list at the following URL:
http://contact2.bea.com/bea/www/advisories/login.jsp
Q: How can I report a potential security issue to BEA for immediate analysis?
An email address has been created for reports of any possible security issues in BEA products: security-report@bea.com
Printer View