From: BEA Systems Inc.
Minor Subject: Patch Available for Access Control Vulnerability in BEA Tuxedo
Product(s) Affected: BEA Tuxedo 7.1
Threat Level: Medium
It has come to our attention that an anomaly in BEA Tuxedo could be used to expose a potential security vulnerability. This condition affects BEA Tuxedo version 7.1 on all supported platforms. BEA treats such possibilities with the highest degree of urgency and does everything possible to ensure the security of all customer assets. As a result, we strongly suggest the following action:
I. Read the following advisory.
II. Apply the suggested action.
III.If you know of any additional users interested in future security advisories, please forward them the registration instructions below.
IV.If you would like to report a possible security issue in a BEA product, please send email to the BEA email address listed below.
I. ADVISORY
A vulnerability has been identified in BEA Tuxedo version 7.1 that may potentially allow an unauthorized user to access a service in a remote Tuxedo domain. This is because a fault exists in the Domain gateway whereby the authorization checks, for all outgoing access to imported services and qspaces on remote domains, are not performed. This affects all Tuxedo Domain gateways, including the TDomain gateway, TOP END Domain Gateway and the BEA eLink Adapter for Mainframe products.
That is, when security is set to ACL or MANDATORY_ACL in the UBBCONFIG file for the application, and an Access Control List entry exists for a service (or services) imported through a Domain gateway, the Access Control List entry is ignored and all outgoing accesses to the imported service (or services) are permitted. Similarly if a plug-in security provider (such as ENTRUST) is in use, the authorization and auditing plug-ins in the Domain gateway are not called for outgoing requests to remote services. This affects imported services and imported qspaces.
II. SUGGESTED ACTION
BEA advises the following:
- Version: BEA Tuxedo version 7.1
-
- Apply patch level 21 or later, to any Tuxedo node which imports remote services via the Domain gateway. You can contact BEA Customer Support (1-888-232-7878) or send an email to support@bea.com. For a complete list of BEA Customer Support contact numbers, go to: http://www.bea.com/framework.jsp?CNT=contact_cs.htm&FP=/content/about/contact/.
III. FUTURE SECURITY COMMUNICATIONS
As a policy, if there are any security-related issues with any BEA product, BEA will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.
BEA has established a new, permission-based emailing list specifically targeted for product security advisories. As a policy, if a user has opted in to our emailing list and there are any security issues with the BEA product(s) he/she is using, BEA will distribute an advisory and instructions via email with the appropriate course of action.
IF THERE ARE ADDITIONAL USERS RESPONSIBLE FOR SECURITY-RELATED ISSUES AT YOUR SITE, PLEASE DIRECT THEM TO REGISTER FOR FUTURE SECURITY NOTIFICATIONS.
IV. REPORTING SECURITY ISSUES
BEA has established an email address to which you can send reports of any possible security issues in BEA products. These reports should be sent to: security-report@bea.com. All correspondence to this address will be promptly reviewed and all necessary actions taken to ensure the continued security of all customer assets.
Printer View