BEA Security Advisories Archive Page
This page contains references to all BEA Security Advisories up to April 2009 CPU. After the April 2009 CPU, all BEA security advisories will only be posted at https://www.oracle.com/security-alerts/.
High Level Executive Summary for July 2008, October 2008, January 2009, and April 2009 Security Advisories Update (Critical Patch Update) for BEA products is available at https://www.oracle.com/security-alerts/.
As a policy, if there are any security vulnerability related issues with any BEA product, Oracle generally distributes an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security vulnerability related issues clearly and openly.
Starting with Oracle's July 2008 Critical Patch Update:
1. Security advisory information for BEA products will comply with the policy described at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html.
2. Security advisories for BEA products will use CVSS for scoring vulnerabilities. Threat and Severity Model will not be used in security advisory information for BEA products.
3. Security advisories for BEA products will use Common Vulnerabilities and Exposure (CVE) identifiers rather than the previously used numbering convention (Vuln#) in the security advisory documentation. More details are available at https://www.oracle.com/security-alerts/cpufaq.html.
All Oracle JRockit security advisories released between August 2008 and April 2009 are tracked here.
The October 2008 CPU was the terminal Critical Patch Update for WebLogic Server/Express 6.1. As stated in the Oracle Lifetime Support policy, https://www.oracle.com/us/support/library/lifetime-support-technology-069183.pdf, Extended Support for WebLogic Server/Express 6.1 was valid through November 2008.
Oracle has completed the acquisition of BEA and we are in the process of integrating BEA's operations. As a result of process changes, we expect former BEA customers to login to Oracle Support in order to download security advisory fixes.
Here is a summary of all BEA Security Advisories released up to the April 2009 CPU:
| Date | Number | Title | Type | Threat * | Severity ** | CVSS Rating *** | Products Affected **** |
|---|---|---|---|---|---|---|---|
| 2009-04-14 | CVE-2009-1016 | Security vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers | advisory | - | - | 8.5 (high) | WLS 10.3 WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (SP6) WLS 7.0 (SP7) |
| 2009-04-14 | CVE-2009-1012 | Security vulnerability in WebLogic plug-ins for Apache and IIS Web servers | advisory | - | - | 10.0 (High) | WLS 10.3 WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (SP6) WLS 7.0 (SP7) |
| 2009-04-14 | CVE-2009-1006 | Multiple security vulnerabilities in Jrockit | advisory | - | - | 10.0 (High) | R27.6.2 and earlier: JRE/JDK 6 JRE/JDK 5.0 SDK/JRE 1.4.2 |
| 2009-04-14 | CVE-2009-1005 | Elevation of privilege vulnerability in Oracle Data Service Integrator and AquaLogic Data Services Platform | advisory | - | - | 4.1 (Medium) | ALDSP 10.3.0 ALDSP 3.2 ALDSP 3.0.1 ALDSP 3.0 |
| 2009-04-14 | CVE-2009-1004 | Strengthened WebLogic Server web services security | advisory | - | - | 4.0 (Low) | WLS 10.3 |
| 2009-04-14 | CVE-2009-1003 | Source code disclosure in WebLogic Server web pages | advisory | - | - | 5.0 (Medium) | WLS 10.3 WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 |
| 2009-04-14 | Elevation of privilege vulnerability in WebLogic Server | advisory | - | - | 5.8 (Medium) | WLS 10.3 WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (SP6) WLS 7.0 (SP7) |
|
| 2009-04-14 | CVE-2009-1001 | Elevation of privilege vulnerability in WebLogic Portal | advisory | - | - | 5.5(Medium) | WLP 8.1 (-SP6) |
| 2009-01-13 | CVE-2008-5462 | Elevation of privilege vulnerability in WebLogic Portal | advisory | - | - | 6.8 (Medium) | WLP 10.3 GA WLP 10.2 GA WLP 10.0 (-MP1) WLP 9.2 (-MP3) WLS 8.1 (-SP6) |
| 2009-01-13 | CVE-2008-5461 | Elevation of privilege vulnerability in WebLogic Console | advisory | - | - | 6.8 (Medium) | WLS 10.3 WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (SP6) WLS 7.0 (SP7) |
| 2009-01-13 | CVE-2008-5460 | Information disclosure vulnerability in JSP and servlets | advisory | - | - | 2.6 (Low) | WLS 10.3 GA WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 |
| 2009-01-13 | CVE-2008-5459 | Security policy not enforced for WLS web services | advisory | - | - | 5.0 (Medium) | WLS 10.3 GA |
| 2009-01-13 | CVE-2008-5457 | Security vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers | advisory | - | - | 10.0 (High) | WLS 10.3 WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (SP6) WLS 7.0 (SP7) |
| 2008-10-14 | CVE-2008-4013 | Protected webapps may be displayed under certain conditions | advisory | - | - | 6.8 (Medium) | WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (SP4 -SP6) |
| 2008-10-14 | CVE-2008-4012 | Elevation of privilege vulnerability in some NetUI pageflows | advisory | - | - | 5.1 (Medium) | WLW 8.1 (-SP5) |
| 2008-10-14 | CVE-2008-4011 | Elevation of privileges for some applications | advisory | - | - | 2.1 (Low) | WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 |
| 2008-10-14 | CVE-2008-4010 | Elevation of privilege vulnerability in some NetUI tags | advisory | - | - | 6.8 (Medium) | WLW 10.3 GA WLW 10.2 GA WLW 10.0 (-MP1) WLW 9.2 (-MP3) WLW 9.1 GA WLW 9.0 GA WLW 8.1 (-SP6) |
| 2008-10-14 | CVE-2008-4009 | Elevation of Privilege vulnerability if more than one authorizer is used | advisory | - | - | 5.1 (Medium) | WLS 9.1 |
| 2008-10-14 | CVE-2008-4008 | Security vulnerability in WebLogic plug-in for Apache | advisory | - | - | 10.0 (High) | WLS 10.3 WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
| 2008-08-04 | CVE-2008-3257 | Patch available for security vulnerability in WebLogic plug-in for Apache | advisory | - | - | 10.0 (High) | WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
| 2008-07-15 | CVE-2008-2582 | Denial-of-Service vulnerability in WebLogic Server | advisory | - | - | 5.0 (Medium) | WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) |
| 2008-07-15 | CVE-2008-2581 | Elevation of privilege vulnerabilities in the UDDI Explorer | advisory | - | - | 5.1 (Low) | WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) |
| 2008-07-15 | CVE-2008-2580 | Information disclosure in JSP pages | advisory | - | - | 2.6 (Low) | WLS 10.0 (-MP1) WLS 9.2 (-MP3) WLS 9.1 WLS 9.0 |
| 2008-07-15 | CVE-2008-2579 | Information disclosure vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers | advisory | - | - | 6.8 (Medium) | Plugins prior to July 15th 2008 |
| 2008-07-15 | CVE-2008-2578 | Information Disclosure vulnerability in the WebLogic console or server log | advisory | - | - | 4.3 (Medium) | WLS 10.0 WLS 9.2 (-MP1) |
| 2008-07-15 | CVE-2008-2577 | Elevation of privilege vulnerability in the Console/WLST | advisory | - | - | 4.6 (Medium) | WLS 9.2 MP1 |
| 2008-07-15 | CVE-2008-2576 | Information Disclosure vulnerability in the ForeignJMS component | advisory | - | - | 4.1 (Medium) | WLS 9.2 WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) |
| 2008-04-16 | BEA08-201.00 | Multiple Security Vulnerabilities in the Java Runtime Environment | advisory | High | High | 9.0 (High) | BEA JRockit R27.5.0 or prior: JDK and JRE 6 Update 3 and earlier BEA JRockit R27.5.0 or prior: JDK and JRE 5.0 Update 14 and earlier BEA JRockit R27.5.0 or prior: SDK and JRE 1.4.2 Update 16 and earlier |
| 2008-02-19 | BEA08-183.00 | Security policies on a WebLogic Portal Page can inadvertently be lost by an administrator performing certain editing operations on that page | advisory | Low | Medium | 2.1 (Low) | WLP 8.1 (SP3-SP6) |
| 2008-02-19 | BEA08-184.00 | An entitlement on an instance of a floatable portlet can be bypassed | advisory | Low | Medium | 4.3 (Medium) | WLP 8.1 (-SP6) |
| 2008-02-19 | BEA08-185.00 | Cross-site scripting (XSS) vulnerabilities in Web applications using WebLogic Workshop NetUI page flows | advisory | High | High | 7.6 (High) | WLW 8.1 (-SP5) |
| 2008-02-19 | BEA08-186.00 | BEA Plumtree Portal cross site scripting (XSS) vulnerability | advisory | Medium | Medium | 5 (Medium) | BEA AquaLogic Interaction 6.1 (-MP1) BEA Plumtree Foundation 6.0 (-SP1) |
| 2008-02-19 | BEA08-187.00 | Web Service WSDL and policy is exposed to unauthenticated HTTP clients | advisory | Medium | Low | 2.6 (Low) | WLS 9.1 WLS 9.0 |
| 2008-02-19 | BEA08-188.00 | JavaScript can be injected into the WLP Groupspace application and can allow for an XSS exploit | advisory | Medium | Medium | 4.0 (Low) | WLP 10.0 WLP 9.2 (-MP1) |
| 2008-02-19 | BEA08-110.01 | Cleartext database password in the config.xml file | advisory | Low | Medium | WLP 8.1 (-SP3) WLP 7.0 (SP4 - SP7) |
|
| 2008-02-19 | BEA08-189.00 | Cross-site scripting (XSS) vulnerabilities in Web applications using either WebLogic Workshop NetUI or Apache Beehive NetUI page flows | advisory | High | High | 6.8 (Medium) | WLW 10.0 WLW 9.2 (-MP1) WLW 9.1 WLW 9.0 WLW 8.1 (-SP6) |
| 2008-02-19 | BEA08-190.00 | A WebLogic Portal Administration Console session can inadvertently redirect from https port to an http port | advisory | Medium | High | 8.8 (High) | WLP 10.0 WLP 9.2 (-MP2) |
| 2008-02-19 | BEA08-191.00 | Tampering HTML request headers could lead to an elevation of privileges | advisory | High | Medium | 6.4 (Medium) | WLS 10.0 WLS 9.2 (-MP1) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS7.0 (-SP7) WLS 6.1 (-SP7) |
| 2008-02-19 | BEA08-192.00 | When content portlets are deleted from one of the portal’s pages, all entitlements are removed for the application | advisory | Low | Medium | 3.6 (Low) | WLP 10.0 WLP 9.2 (-MP1) |
| 2008-02-19 | BEA08-193.00 | Non-authorized user may be able to receive messages from a secured JMS Topic destination | advisory | Medium | High | 8.3 (High) | WLS 10 WLS 9.2 (-MP1) WLS 9.1 WLS 9.0 |
| 2008-02-19 | BEA08-194.00 | A non-authorized user may be able to send messages to a protected distributed queue | advisory | Medium | High | 8.3 (High) | WLS 10 WLS 9.2 (-MP1) WLS 9.1 WLS 9.0 |
| 2008-02-19 | BEA08-195.00 | Cross-site scripting vulnerability in Console’s Unexpected Exception Page | advisory | Medium | High | 6.1 (Medium) | WLS 10.0 WLS 9.2 (-MP1) WLS 9.1 WLS 9.0 |
| 2008-02-19 | BEA08-196.00 | A session fixation exploit could result in elevated privileges | advisory | Low | High | 6.8 (High) | WLS 10.0 WLS 9.2 (-MP1) WLS 8.1 (SP4 - SP6) |
| 2008-02-19 | BEA08-197.00 | Account lockout can be bypassed, exposing the account to a brute-force password attack | advisory | Medium | Medium | 6.8 (Medium) | WLS 10.0 (-MP1) WLS 9.2 (-MP2) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) |
| 2008-02-19 | BEA08-198.00 | Multiple Security Vulnerabilities in Java Web Start and the Java Plug-in for browsers | advisory | Low | Medium | 2.4 (Low) | BEA JRockit R24:JRockit R24.3-1.4.2_04 to R24.5-1.4.2_08 BEA JRockit R25: JRockit R25.0-1.5.0 to R25.2-1.5.0_03 |
| 2008-02-19 | BEA08-80.04 | Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities | advisory | High | High | WLS 10.0 (-MP1) WLS 9.2 (-MP2) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
|
| 2008-02-19 | BEA08-159.01 | Requests served through WebLogic proxy servlets may acquire elevated privileges | advisory | Medium | High | 5.6 (Medium) | WLS 9.1 WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
| 2008-02-19 | BEA08-199.00 | A carefully constructed URL may cause the Sun, IIS or Apache web-server to crash | advisory | High | High | 5.0 (Medium) | Plug-ins dated prior to November 2007 |
| 2008-02-19 | BEA08-200.00 | Server files can be accessed by a remote user | advisory | High | High | 7.8 (High) | BEA AquaLogic Collaboration 4.2 (-MP1) BEA Plumtree Collaboration 4.1 (-SP2) |
| 2007-12-12 | BEA07-182.00 | Application files and resources may be remotely accessed | advisory | Medium | High | 8 (High) | WLMS 3.3 WLMS 3.5 WLMS 3.6 (-SP1) |
| 2007-11-30 | BEA07-181.00 | BEA Plumtree Foundation search facility allows an unauthenticated guest user to search for user objects | advisory | Medium | Medium | 4.7 (Medium) | BEA Plumtree Foundation 6.0 BEA AquaLogic Interaction 6.1 BEA AquaLogic Interaction 6.1 MP1 |
| 2007-11-30 | BEA07-180.00 | BEA Plumtree Foundation full version vulnerability | advisory | Low | Low | 2.3 (Low) | BEA Plumtree Foundation 6.0 BEA AquaLogic Interaction 6.1 BEA AquaLogic Interaction 6.1 MP1 |
| 2007-11-30 | BEA07-179.00 | BEA Plumtree Foundation internal hostname disclosure vulnerability | advisory | Low | Low | 2.3 (Low) | BEA Plumtree Foundation 6.0 BEA AquaLogic Interaction 6.1 BEA AquaLogic Interaction 6.1 MP1 |
| 2007-08-28 | BEA07-178.00< | Java Secure Socket Extension Does Not Correctly Process SSL/TLS Handshake Requests Resulting in a Denial of Service (DoS) Condition | advisory | High | High | 3.3 (Low) | JRockit R27.3.1 or prior using 1.6 .0_1 or earlier JRockit R27.3.1 or prior using 1.5.0 Updates 7, 8, 9, 10, and 11 JRockit R27.3.1 or prior using 1.4.2 Updates 11, 12, 13, and 14 |
| 2007-08-28 | BEA07-177.00 | Multiple Security Vulnerabilities in the Java Runtime Environment | advisory | High | High | 5.3 (Medium) | JRockit R27.3.1 or prior using 1.6.0_1 or earlier JRockit R27.3.1 or prior using 1.5.0 _11 or earlier JRockit R27.3.1 or prior using 1.4.2 _14 or earlier JRockit 7.0 SP6 RP1 or prior using JRE 1.3.1_20 or earlier |
| 2007-08-28 | BEA07-176.00< | Server may select a cipher suite that uses a null cipher for SSL communication with SSL clients | advisory | Medium | Medium | 5.9 (Medium) | WLS 10.0 WLS 9.2 (-MP1) WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) |
| 2007-08-28 | BEA07-175.00 | SSL clients may not find all possible cipher suites resulting in use of the default null cipher (no encryption) | advisory | Medium | Medium | 5.9 (Medium) | WLS 10.0 WLS 9.2 (-MP2) WLS 9.1 WLS 9.0 WLS 8.1 (SP2-SP6) WLS 7.0 SP7 |
| 2007-08-28 | BEA07-148.01 | Malformed headers may cause high disk consumption | advisory | High | Medium | WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
|
| 2007-08-28 | BEA07-87.02 | A malicious client can cause threads to hang on the server. | advisory | High | High | WLS 8.1 (-SP4) WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
|
| 2007-05-23 | BEA07-164.01 | Security policy may not be applied to WebLogic administration deployers when uploading archives | advisory | Medium | High | 4.8 (Medium) | WLS 9.1 WLS 9.0 |
| 2007-05-14 | BEA07-174.00 | Non-trusted Applets may be able to elevate privileges | advisory | High | High | 8.0 (High) | JRockit prior to R26.0.0 1.4.2_07 JRockit prior to R26.0.0 1.5.0_04 |
| 2007-05-14 | BEA07-173.00 | An Application started through Java Web Start may be able to elevate its privileges | advisory | Medium | Medium | 5.6 (Medium) | JRockit prior to R26.0.0 1.4.2_07 JRockit prior to R26.0.0 1.5.0_04 |
| 2007-05-14 | BEA07-172.00 | Buffer Overflow in processing GIF images | advisory | High | High | 8.0 (High) | JRockit prior to R26.0.0 1.4.2_07 JRockit prior to R26.0.0 1.5.0_04 |
| 2007-05-14 | BEA07-171.00 | Non-trusted Applets may be able to exploit serialization condition to elevate privileges | advisory | High | High | 8.0 (High) | JRockit prior to R26.0.0 1.4.2_07 JRockit prior to R26.0.0 1.5.0_04 |
| 2007-05-14 | BEA07-170.00 | Exposure of filenames in development mode | advisory | Low | Medium | 3.3 (Low) | WLI 9.2 WLI 8.1 (SP2-SP6) |
| 2007-05-14 | BEA07-169.00 | WebLogic SSL may verify RSA Signatures incorrectly if the RSA key exponent is 3 | advisory | High | Medium | 5.6 (Medium) | WLS 9.2 WLS 9.1 WLS 9.0 WLS 8.1 (-SP6) WLS 7.0 (-SP7) |
| 2007-05-14 | BEA07-168.00 | An SSL port may be susceptible to a Denial of Service attack | advisory | Low | Low | 1.9 (Low) | WLS 9.2 WLS 9.1 WLS 9.0 |
| 2007-05-14 | BEA07-167.00 | Inadvertent corruption of entitlements could result in unauthorized access to protected resources | advisory | Low | Low | 2.2 (Low) | WLP 9.2 |
| 2007-05-14 | BEA07-166.00 | Cross-site scripting attacks in the WebLogic Portal Groupspace application | advisory | Low | Medium | 3.4 (Low) | WLP 9.2 |
| 2007-05-14 | BEA07-165.00 | WebLogic JMS Message Bridge not enforcing proper credentials to access a protected queue | advisory | Medium | Low | 2.2 (Low) | WLS 8.1 (-SP6) WLS 7.0 (-SP7) |
| 2007-05-14 | BEA07-163.00 | The WLST script generated by configToScript may not encrypt sensitive attributes when creating a new domain. | advisory | Low | Medium | 2.3 (Low) | WLS 9.1 WLS 9.0 |
| 2007-05-14 | BEA07-162.00 | The WebLogic console may display certain Web Service sensitive attributes in clear text | advisory | Low | Medium | 2.3 (Low) | WLS 9.0 |
| 2007-05-14 | BEA07-161.00 | WebLogic Server Embedded LDAP may be susceptible to a brute force attack | advisory | Medium | High | 5.6 (Medium) | WLS 9.1 WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) |
| 2007-05-14 | BEA07-160.00 | Security policies may not be enforced on WebLogic JMS servers | advisory | Medium | Medium | 5.6 (Medium) | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
| 2007-05-14 | BEA07-158.00 | The Tuxedo cnsbind cnsunbind and cnsls commands may echo sensitive information in clear text | advisory | Low | High | 2.9 (Low) | Tuxedo 8.1 Tuxedo 8.0 WLE 5.1 |
| 2007-01-16 | BEA07-157.00 | Authorization checks may not be enforced in AquaLogic Service Bus proxy services | advisory | Medium | Medium | ALSB 2.5 ALSB 2.1 ALSB 2.0 |
|
| 2007-01-16 | BEA07-156.00 | Inadvertent corruption of WebLogic Portal entitlement policies. | advisory | Low | High | WLP 9.2 | |
| 2007-01-16 | BEA07-155.00 | An overflow condition may occur in products using BEA JRockit | advisory | High | High | WLPL 8.1 (-SP5) WLS 8.1 (-SP5) JRockit 1.4.2 R24.5 |
|
| 2007-01-16 | <BEA07-154.00 | Upgrade and patch are available to disable users in Active Directory LDAP server | advisory | Medium | High | ALES 2.2 ALES 2.1 (-SP1) ALES 2.0 (-SP2) |
|
| 2007-01-16 | BEA07-153.00 | Audit events may be posted with incorrect severity. | advisory | Low | Medium | ALES 2.2 ALES 2.1 (-SP1) ALES 2.0 (-SP2) |
|
| 2007-01-16 | BEA07-152.00 | Multiple vulnerabilities in WebLogic Server proxy plug-in for Netscape Enterprise Server | advisory | High | High | WLS Netscape Enterprise Server proxy plug-in | |
| 2007-01-16 | BEA07-151.00 | Inadvertent removal of access restrictions | advisory | Low | High | WLP 9.2 | |
| 2007-01-16 | BEA07-150.00 | A Denial of Service attack is possible against a WebLogic Server running on Solaris 9 | advisory | High | High | WLS 9.2 WLS 9.1 WLS 9.0 |
|
| 2007-01-16 | BEA07-149.00 | Security policy changes may not be seen by managed server. | advisory | Medium | Medium | WLS 9.1 | |
| 2007-01-16 | BEA07-147.00 | Malformed HTTP requests may reveal data from previous requests | advisory | High | Low | WLS 9.1 WLS 9.0 |
|
| 2007-01-16 | BEA07-146.00 | Denial-of-service vulnerability in the proxy plug-in for Apache web server. | advisory | High | High | WLS Apache plug-in | |
| 2007-01-16 | BEA07-145.00 | Permissions on EJB methods with array parameters may not be enforced | advisory | Medium | Low | WLS 9.1 WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) |
|
| 2007-01-16 | BEA07-144.00 | Some EJB calls can be unintentionally executed with administrative privileges when using WebLogic Server 6.1 compatibility realm | advisory | Medium | High | WLS 9.1 WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP7) |
|
| 2007-01-16 | BEA07-143.00 | WS-Security runtime fails to enforce decryption certificate | advisory | Low | Low | WLS 9.1 WLS 9.0 |
|
| 2007-01-16 | BEA07-142.00 | Dynamic updates to applications deployed as exploded jars may result in incorrect access checking | advisory | Medium | Medium | WLS 8.1 (-SP5) | |
| 2007-01-16 | BEA07-141.00 | Socket muxer threads may block when processing error pages under load. | advisory | Low | High | WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2007-01-16 | BEA07-140.00 | Sensitive attributes may be stored in clear-text after offline configuration | advisory | Low | Medium | WLS 8.1 (-SP5) | |
| 2007-01-16 | BEA07-139.00 | Application files are exposed when deploying via .ear or exploded .ear files. | advisory | High | High | WLS 8.1 (-SP5) WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
|
| 2007-01-16 | BEA07-138.00 | Problem with certificate validation on WebLogic web service clients | advisory | High | Low | WLS 9.1 WLS 9.0 WLS 8.1 (-SP5) |
|
| 2007-01-16 | BEA07-137.00 | Incorrect thread management may lead to server unavailability. | advisory | High | High | WLS 9.1 WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) |
|
| 2007-01-16 | BEA07-136.00 | JDBCDataSourceFactory MBean password field not encrypted | advisory | Low | Medium | WLS 9.0 WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2007-01-16 | BEA07-135.00 | Certificate validation condition in WebLogic Server | advisory | Medium | Medium | WLS 8.1 (-SP4) | |
| 2007-01-16 | BEA07-134.00 | SSL libraries may be vulnerable to unauthorized information disclosure | advisory | Low | Medium | WLS 8.1 (-SP5) WLS 7.0 (-SP7) WLS 6.1 (-SP7) |
|
| 2007-01-16 | BEA07-125.01 | Internal network information may be externally visible | advisory | Low | Low | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2007-01-16 | BEA07-107.02 | Too many invalid login attempts allowed. | advisory | High | Medium | WLS 8.1 (-SP5) WLS 7.0 (-SP6) |
|
| 2007-01-16 | BEA07-75.01 | Users granted the Monitor security role have permission to configure JDBC connection pools. | advisory | Low | Medium | WLS 8.1 (SP2-SP4) | |
| 2007-01-16 | BEA07-60.01 | Patches are available to protect user authorizations. | advisory | Low | Medium | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2006-05-15 | BEA06-133.00 | Sensitive internal system data may be exposed on the wire. | advisory | Medium | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2006-05-15 | BEA06-132.00 | Incorrect Quality of Service on some transaction coordination | advisory | Medium | Low | WLS 8.1 (-SP3) | |
| 2006-05-15 | BEA06-131.00 | Recovering admin password can leave cleartext password on disk | advisory | Low | High | WLS 8.1 | |
| 2006-05-15 | BEA06-130.00 | JSP showcode vulnerability | advisory | Low | Low | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2006-05-15 | BEA06-129.00 | Console displays the WebLogic Server IP address | advisory | Medium | Low | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-05-15 | BEA06-128.00 | Domain name is exposed on Console login form | advisory | Low | Low | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2006-05-15 | BEA06-127.00 | WebLogic Server HTTP handlers log username and password on failure | advisory | Low | Low | WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-05-15 | BEA06-126.00 | Console incorrectly set JDBC policies | advisory | Low | Low | WLS 9.0 | |
| 2006-05-15 | BEA06-125.00 | Internal network information may be externally visible | advisory | Low | Low | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-05-15 | BEA06-124.00 | Applications installed on WebLogic Server can obtain private keys | advisory | Low | Low | WLS 9.1 WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-05-15 | BEA06-121.00 | The stopWebLogic.sh script echoes the system password on UNIX |
advisory | Low | High | WLPL 8.1 (-SP2) WLPL 7.0 (-SP5) |
|
| 2006-05-15 | BEA06-120.01 | A default internal servlet allowed local file system access | advisory | High | High | WLS 6.1 (-SP7) | |
| 2006-05-15 | BEA06-114.01 | Application code installed on a server may be able to decrypt passwords | advisory | Low | High | WLS 9.0 WLS 8.1 (-SP4) |
|
| 2006-05-15 | BEA06-81.02 | Anonymous binds to the embedded LDAP server are allowed. | advisory | High | High | WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) |
|
| 2006-03-20 | BEA06-123.00 | Certain XML documents can cause “server out of memory” errors. | advisory | High | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-03-20 | BEA06-122.00 | JSR-168 Portlets may be rendered to an unauthorized user | advisory | High | Medium | WLP 8.1 (-SP5) | |
| 2006-03-20 | BEA06-111.01 | The server log may be remotely viewable. | advisory | High | Low | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-03-20 | BEA06-105.01 | Certain HTTP requests may be used to launch HTTP Request Smuggling attacks on the server. | advisory | Medium | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-01-23 | BEA06-119.00 | Console applies incorrect JNDI policies. | advisory | Medium | Medium | WLS 9.0 | |
| 2006-01-23 | BEA06-118.00 | Server's SSL identity not properly protected from applications. | advisory | Low | Medium | WLS 8.1 SP5 | |
| 2006-01-23 | BEA06-117.00 | Using a connection filter can cause the server to slow down | advisory | Medium | High | WLS 9.0 WLS 8.1 (-SP5) WLS 7.0 (-SP6) |
|
| 2006-01-23 | BEA06-116.00 | Non-active security provider appears active. | advisory | Low | Low | WLS 9.0 | |
| 2006-01-23 | BEA06-115.00 | A patch is available to enforce access to only specific resources. | advisory | High | High | WLP 8.1 SP3, SP4, SP5 | |
| 2006-01-23 | BEA06-113.00 | Changed passwords may show up in audit log | advisory | Medium | High | WLS 8.1 (-SP4) | |
| 2006-01-23 | BEA06-112.00 | An application's deployment descriptor source is visible. | advisory | High | Medium | WLP 8.1 (-SP4) | |
| 2006-01-23 | BEA06-109.00 | Multiple MBean vulnerabilities. | advisory | High | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2006-01-23 | BEA06-108.00 | Documentation is available describing securing multiple-domains managed from one instance of the WebLogic Server Administration Console. | advisory | Low | High | WLS 7.0 WLS 6.1 |
|
| 2006-01-23 | BEA06-106.01 | Requests for a servlet doing relative forwarding may result in a Denial-of-Service (DOS) attack. | advisory | High | Medium | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2005-10-10 | BEA05-85.00 | Client/server communications that do not specify a user are not protected by the SSL protocol correctly. | advisory | Medium | High | WLS 8.1 (-SP3) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2005-10-10 | BEA05-86.00 | In specific circumstances, client/server communications are not using the SSL connection as expected | advisory | Medium | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2005-10-10 | BEA05-88.00 | A Deployed application can change privileges from Deployer to Admin. | advisory | Low | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2005-10-10 | BEA05-89.00 | Audit events may be posted with incorrect severity. | advisory | Low | Medium | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2005-10-10 | BEA05-90.00 | A patch is available to prevent users from accessing machine information behind a firewall. | advisory | Medium | Low | WLS 8.1 (-SP3) | |
| 2005-10-10 | BEA05-91.00 | The passphrase for the Trust keystore appears in clear text in the nodemanager.config file. | advisory | Low | Medium | WLS 8.1 (-SP3) | |
| 2005-10-10 | BEA05-92.00 | Principals from a derived Principal class may not be fully validated. | advisory | Low | High | WLS 8.1 (-SP4) WLS 7.0 (-SP5) |
|
| 2005-10-10 | BEA05-93.00 | Servlet security constraint fails to properly protect root | advisory | High | Medium | WLS 8.1 (-SP3) WLS 7.0 (-SP5) |
|
| 2005-10-10 | BEA05-94.00 | The local file system may be accessed remotely by a user granted the Admin security role. | advisory | Medium | Medium | WLS 8.1 (-SP3) | |
| 2005-10-10 | BEA05-95.00 | Exporting security policies from one operating system and importing to another operating system can lead to servlets being unprotected. | advisory | Low | Medium | WLS 8.1 WLS 7.0 |
|
| 2005-10-10 | BEA05-96.00 | The passphrase for the private key used in the configuration of SSL appears in cleartext when creating a WebLogic Server domain using the Configuration Wizard. | advisory | Low | Medium | WLS 8.1 (-SP3) | |
| 2005-10-10 | BEA05-97.00 | Servlet resources may not be fully protected when using fullyDelegateAuthorization mode in the Administration Console. | advisory | Low | Medium | WLS 8.1 (-SP3) WLS 7.0 (-SP5) |
|
| 2005-10-10 | BEA05-98.00 | Sensitive system properties values are displayed in the server log. | advisory | Low | High | WLS 8.1 (-SP4) WLS 7.0 (-SP5) WLS 6.1 (-SP7) |
|
| 2005-10-10 | BEA05-99.00 | The password used to boot the server may appear in clear text in the Windows registry. | advisory | Low | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2005-10-10 | BEA05-100.00 | A password might be exposed in some Subjects constructed by the IIOP protocol | advisory | Low | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) WLS 6.1 (-SP7) |
|
| 2005-10-10 | BEA05-101.00 | The documentation has been updated to recommend multiple administrator accounts. | advisory | High | Medium | WLS 9.0 WLS 8.1 WLS 7.0 |
|
| 2005-10-10 | BEA05-102.00 | In specific circumstances, weblogic.Deployer communication with the Administration server could be compromised. | advisory | Medium | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2005-10-10 | BEA05-103.00 | Multicast data is not encrypted. | advisory | Medium | Medium | WLS 8.1 (-SP4) WLS 7.0 (-SP5) |
|
| 2005-10-10 | BEA05-104.00 | Auditing of MBean configuration changes may stop. | advisory | Low | Medium | WLS 8.1 (-SP4) | |
| 2005-08-22 | BEA05-84.00 | A patch is available to enforce correct access restrictions. | advisory | High | High | WLP 8.1 (-SP4) | |
| 2005-08-15 | BEA05-61.01 | A patch is available to prevent Denial of Service attack | advisory | High | High | WLS 8.1 (-SP2), SP4 | |
| 2005-08-15 | BEA05-83.00 | JCE 1.2.1 cert will expire 7/27/2005 | notification | WLS 7.0, WLPL 7.0 | |||
| 2005-05-24 | BEA05-52.02 | Patches are available to prevent unintended system administrator privileges | advisory | Very Low | Medium | WLS 8.1 (-SP2) WLS 7.0 (-SP4) |
|
| 2005-05-24 | BEA05-72.01 | Upgrade and patch are available to disable users in Active Directory LDAP server | advisory | Medium | High | WLS 8.1 (-SP2) WLS 7.0 (-SP5) |
|
| 2005-05-24 | BEA05-74.01 | Login exceptions may give clues as to why a login attempt failed. | advisory | High | High | WLS 8.1 (-SP4) WLS 7.0 (-SP6) |
|
| 2005-05-24 | BEA05-75.00 | A patch is available to restrict access to JDBC connection pools from users granted the Monitor security role | advisory | Low | Medium | WLS 8.1 SP2, SP3 | |
| 2005-05-24 | BEA05-76.00 | WebLogic Server fails to audit and correctly handle exceptions generated by security providers | advisory | Medium | High | WLS 8.1 (-SP3) WLS 7.0 (-SP5) |
|
| 2005-05-24 | BEA05-77.00 | User was not logged out when a Web application was redeployed | advisory | Low | Medium | WLS 7.0 (-SP5) | |
| 2005-05-24 | BEA05-78.00 | Incorrect password from failed login attempt echoed to standard output | advisory | Low | Medium | WLP 8.1 (-SP3) | |
| 2005-05-24 | BEA05-79.00 | Incorrect cookie data may impact cluster performance | advisory | High | High | WLS 7.0 (-SP5) | |
| 2005-05-24 | BEA05-82.00 | Denial of Service attack | advisory | High | High | WLS 6.1 SP4 | |
| 2005-03-28 | BEA05-51.01 | Patches available to protect password | advisory | Low | High | WLS 8.1 (-SP2) WLS 7.0 (-SP5) WLS 6.1 (-SP6) |
|
| 2004-09-13 | BEA04-70.00 | Patches are available to protect Server version information | advisory | Low | Low | WLS 8.1 (-SP3) WLS 7.0 (-SP5) WLS 6.1 (-SP6) |
|
| 2004-09-13 | BEA04-67.00 | Upgrade and patches are available to prevent a showcode vulnerability | advisory | Low | Low | WLS 8.1 (-SP2) WLS 7.0 (-SP5) WLS 6.1 (-SP6) |
|
| 2004-09-13 | BEA04-65.00 | Patches are available to prevent unauthorized access | advisory | Medium | High | WLS 8.1 (-SP2) WLS 7.0 (-SP5) WLS 6.1 (-SP6) |
|
| 2004-09-13 | BEA04-71.00 | Upgrade and patch are available to ensure complete security role and policy deployment | advisory | Low | Medium | WLS 8.1 (-SP2) WLS 7.0 (-SP5) |
|
| 2004-09-13 | BEA04-73.00 | Documentation is available to configure the server for encryption of administrative data. | advisory | Low | High | WLS 8.1 (all) WLS 7.0 (all) |
|
| 2004-09-13 | BEA04-68.00 | Patches are available to assist in securing passwords in scripts using the WebLogic Server command-line utilities and Administrative ant tasks | notification | WLS 8.1 (-SP2) WLS 7.0 (-SP4) WLS 6.1 (-SP6) |
|||
| 2004-09-13 | BEA04-66.00 | Patches are available to prevent unauthorized access to Administrator commands | advisory | Medium | Medium | WLS 8.1 (-SP2) WLS 7.0 (-SP5) |
|
| 2004-09-13 | BEA04-69.00 | Upgrade and patches are available to protect password | advisory | Low | High | WLS 8.1 (-SP2) WLS 7.0 (-SP5) WLS 6.1 (-SP6) |
|
| 2004-06-28 | BEA04_64.00 | Patches available to protect Web Applications | advisory | Low | Low | WLS 8.1 (-SP2) WLS 7.0 (-SP5) |
|
| 2004-06-28 | BEA04_63.00 | Patch available to prevent arbitrary file access and possible disk space exhaustion | advisory | High | High | WLPL 8.1 (-SP2) | |
| 2004-06-14 | BEA04_62.00 | A remedy is available to prevent unexpected user identity | advisory | Low | Low | WLS 8.1 (all) WLS 7.0 (all) WLS 6.1 (all) |
|
| 2004-05-11 | BEA04_60.00 | Patches are available to protect user authorizations. | advisory | Low | Medium | WLS 8.1 (-SP2) WLS 7.0 (-SP5) |
|
| 2004-05-11 | BEA04_59.00 | Patches are available to prevent unintended access to web applications. | advisory | Low | High | WLS 8.1 (-SP2) WLS 7.0 (-SP5) |
|
| 2004-04-20 | BEA04_56.00 | Upgrades available to correct servlet security error | advisory | Low | High | WLS 8.1 (-SP1) WLS 7.0 (-SP4) |
|
| 2004-04-20 | BEA04_58.00 | Patch available to protect passwords | advisory | Low | High | WLS 8.1 (-SP2) | |
| 2004-04-20 | BEA04_57.00 | Upgrade & patches available to prevent EJB objects being deleted without required permission | advisory | Low | High | WLS 8.1 (-SP2) WLS 7.0 (-SP4) WLS 6.1 (-SP6) |
|
| 2004-04-13 | BEA04_53.00 | Patches are available to prevent password exposure | advisory | Low | High | WLS 8.1 (-SP2) WLS 7.0 (-SP4) WLS 6.1 (-SP6) |
|
| 2004-04-13 | BEA04_54.00 | Patches available to prevent user impersonation | advisory | Medium | High | WLS 8.1 (-SP2) WLS 7.0 (-SP4) |
|
| 2004-04-13 | BEA04_55.00 | Patches available to prevent to password exposure | advisory | Low | High | WLS 8.1 (-SP2) WLS 7.0 (-SP4) |
|
| 2004-03-10 | BEA04_43.01 | Workaround available to prevent MBean exposure | advisory | Low | Low | WLS 8.1 (all) WLS 7.0 WLS 6.1 (all) |
|
| 2004-02-19 | BEA04_48.01 | Patches available to prevent compromise of user accounts | advisory | Low | High | WLS 8.1 (-SP2) WLS 7.0 (-SP4) WLS 6.1 (-SP6) WLS 5.1 (-SP13) |
|
| 2004-01-26 | BEA04_49.00 | Upgrade available to protect Administrative permissions | advisory | Low | High | WLS 8.1 (-SP1) | |
| 2004-01-26 | BEA04_47.00 | Patch and upgrade available to prevent SSL Certificate re-use | advisory | Low | Medium | WLS 7.0 (-SP4) | |
| 2004-01-26 | BEA04_50.00 | Upgrade available to protect password | advisory | Low | High | WLS 8.1 (-SP1) | |
| 2004-01-12 | BEA04-45.00 | Upgrade recommended to prevent Denial of Service | advisory | High | High | WLS 7.0 (-SP4) WLS 6.1 (-SP5) WLS 5.1 (-SP13) |
|
| 2004-01-12 | BEA04-46.00 | Upgrade available to protect password | advisory | Low | High | WLS 8.1 (-SP1) | |
| 2003-12-30 | BEA03-44.00 | Expiration of CA certificates | notification | WLS | |||
| 2003-11-11 | BEA03-39.00 | Remedies available to prevent Denial of Service | advisory | High | High | WLS 8.1 (-SP1) WLS 7.0 (-SP4) WLS 6.1 (-SP5) |
|
| 2003-11-11 | BEA03-40.00 | Patches available to prevent unintended use of nonencrypted connection | advisory | Low | Low | WLS 8.1 (-SP1) WLS 7.0 (-SP4) |
|
| 2003-11-11 | BEA03-42.00 | Patches available to protect Node Manager | advisory | Low | Low | WLS 8.1 (-SP1) WLS 7.0 (-SP4) WLS 6.1 (-SP5) |
|
| 2003-11-11 | BEA03-41.00 | Patches available to protect password | advisory | Low | Low | WLS 8.1 (-SP1) | |
| 2003-11-11 | BEA03-43.00 | Workaround available to prevent Mbean exposure | advisory | Low | Low | WLS 8.1 (-SP1) WLS 7.0 (-SP4) WLS 6.1 (-SP5) |
|
| 2003-10-29 | BEA03-38.00 | Patch available to prevent BEA Tuxedo Administration Console vulnerability | advisory | Low | Medium | Tuxedo 8.1 Tuxedo 8.0 Tuxedo 7.1 Tuxedo 6.5 Tuxedo 6.4 Tuxedo 6.3 WebLogic Enterprise 5.1 WebLogic Enterprise 5.0.1 WebLogic Enterprise 4.2 |
|
| 2003-08-27 | BEA03-37.00 | Patch available to prevent unintentional access to the machine's file system over a Web browser. | advisory | Medium | High | WLI-BC 8.1 | |
| 2003-08-20 | BEA03-14.06 | Patch available for DOS attack | advisory | Low | High | WLS 7.0 (-SP1) WLS 6.1 (-SP3) WLS 6.0 (-SP2RP3) WLS 5.1 (-SP12) |
|
| 2003-08-20 | BEA03-36.01 | Patches available to prevent multiple cross-site scripting (XSS) vulnerabilities. | advisory | Low | High | WLI 7.0 (-SP2) WLI 2.1 LD 1.1 WLS 7.0 (-SP3) WLS 6.1 (-SP5) WLS 5.1 |
|
| 2003-07-30 | BEA03-35.00 | Patch available to safeguard current user identity | advisory | Medium | High | WLS 7.0 SP3 | |
| 2003-07-08 | BEA03-33.00 | Patches available to prevent operators from gaining administrative access | advisory | Low | High | WLS 8.1 WLS 7.0 (-SP2) |
|
| 2003-07-08 | BEA03-34.00 | Patches available to protect password | advisory | Low | Low | WLS 7.0 (-SP2) WLS 6.1 (-SP5) |
|
| 2003-07-08 | BEA03-32.00 | Patch available to prevent unauthorized access to the console | advisory | Low | Low | WLS 7.0 (-SP2) | |
| 2003-07-08 | BEA03-28.01 | Patches available to prevent non-privileged accounts to access application resources | advisory | Medium | High | WLS 8.1 WLS 7.0 (-SP2) WLS 6.1 (-SP4) WLS 6.0 (-SP2RP3) |
|
| 2003-05-12 | BEA03-30.00 | Patch available to prevent clear-text passwords | advisory | Low | Medium | WLS 7.0 (-SP2) | |
| 2003-05-12 | BEA03-31.00 | Patches available to prevent invalid SSL certificate chain vulnerability | advisory | Medium | High | WLS 7.0 (-SP1) WLS 6.1 (-SP4) WLS 5.1 (-SP13) WLE 5.1 WLE 5.0.1 Tuxedo 8.1 Tuxedo 8.0 |
|
| 2003-03-17 | BEA03-29.00 | Remedy available to prevent deletion of subcontexts | advisory | Low | Low | WLS 7.0(-SP1) | |
| 2003-03-17 | BEA03-27.00 | Remedy available to prevent access to a web application without re-authentication | advisory | Low | Low | WLS 7.0 (-SP2) | |
| 2003-03-17 | BEA03-26.01 | Patch available to prevent session sharing | advisory | Low | High | WLS 7.0 (-SP2) WLS 6.1 (-SP4) WLS 6.0 (-SP2RP3) WLS 5.1 (-SP13) |
|
| 2003-01-28 | BEA03-25.00 | Patch available to protect password | advisory | Low | High | WLS 7.0 (-SP1) | |
| 2003-01-10 | BEA03-24.00 | Patch available to protect password | advisory | Low | Low | WLS 7.0 (-SP1) | |
| 2002-12-13 | BEA02-23.01 | Patch available to prevent DOS attack through XML parsing | advisory | Low | Low | WLI 7.0 (-SP1) WLI 2.1 WLS 7.0 (-SP1) WLS 6.1 (-SP4) WLS 6.0 (-SP2RP3) |
|
| 2002-10-15 | BEA02-22.00 | Patch available to prevent policy roles and mappings from being ignored in WebLogic Integration 7.0 or in WebLogic Server 7.0 Service Pack 1 | advisory | High | High | WLS 7.0 (-SP1) | |
| 2002-10-01 | BEA02-21.00 | Upgrade to prevent inadvertent removal of security from Servlets or EJBs | advisory | Low | High | WLS 7.0 | |
| 2002-09-27 | BEA02-20.00 | Upgrades to prevent data sharing | advisory | Low | Medium | WLS 7.0 WLS 6.1 (-SP2) |
|
| 2002-07-03 | BEA02-19.00 | Patch available to prevent DOS attack | advisory | WLS 7.0 WLS 6.1 (-SP3) WLS 6.0 (-SP2RP3) WLS 5.1 (-SP12) |
|||
| 2002-05-10 | BEA02-18.00 | Patch available to protect password exposure using SNMP Agent | advisory | Low | WLS 5.1 (-SP12) | ||
| 2002-05-09 | BEA02-17.00 | Patch available to prevent viewing of file contents | advisory | WLS 6.1 -SP2) WLS 6.0 (-SP2RP3) WLS 5.1 (-SP12) WLS 4.5.2 (-SP2) WLS 4.5.1 (-SP15) |
|||
| 2002-04-22 | BEA02-03.03 | Patch available for Show Code Vulnerability | advisory | WLS 6.1 (-SP2) WLS 6.0 (-SP2RP3) WLS 5.1 (-SP11) WLS 4.5.2 (-SP2) WLS 4.5.1 (-SP14) |
|||
| 2002-04-22 | BEA02-16.01 | Patch available for SNMP implementation vulnerability | advisory | WLS 6.1 (-SP2) WLS 5.1 (-SP11) |
|||
| 2002-01-31 | BEA02-15.00 | Patch available to protect password | advisory | Low | WLS 6.1 (-SP2) | ||
| 2002-01-10 | BEA02-13.00 | Patch Available for Unintended Permissions | advisory | WLS 6.1 (-SP1) WLS 6.0 (-SP2) WLS 5.1 (-SP10) WLS 4.5.2 (-SP2) WLS 4.5.1 (-SP15) |
|||
| 2001-11-09 | BEA01-12.01 | Clarification in documentation for the CSR Generator Servlet for BEA WebLogic Server and BEA WebLogic Server Express | advisory | WLS 6.1 (all) WLS 5.1 (all) WLS 4.5.2 (all) WLS 4.5.1 (all) |
|||
| 2001-06-22 | BEA01-11.00 | Fix available for Administrative Configuration Vulnerability | advisory | WLS 6.0 (-SP1) | |||
| 2001-05-09 | BEA01-10.00 | Patch Available for TDomain gateway Vulnerability in BEA Tuxedo | advisory | Medium | Tuxedo 6.3 Tuxedo 6.4 Tuxedo 6.5 Tuxedo 6.5.1 Tuxedo 7.1 Tuxedo 7.1.1 WLE 4.2 WLE 5.0 WLE 5.1 |
||
| 2001-03-27 | BEA00-09.00 | Patch Available for Default Settings of Directory Indexing | advisory | Low | WLS 6.0 | ||
| 2001-03-19 | BEA00-08.00 | Patch Available for Access Control Vulnerability in BEA Tuxedo | advisory | Medium | Tuxedo 7.1 | ||
| 2000-08-14 | BEA00-05.01< | Patch for buffer overflow in WLS Proxy Plug-In | advisory | Low | WLS 5.1 (-SP4) WLS 4.5.2 WLS 4.5.1 (-SP10) |
||
| 2000-07-31 | BEA00-04.00 | Compilation and Execution of Arbitrary Files in Web Document Root Directory | advisory | WLS 5.1 (all) | |||
| 2000-06-12 | BEA00-01.00 | Vulnerability in Default httpd.servlet configuration (Windows and NT only) | advisory | WLS 4.5.1 (all) WLS 4.0.4 (all) WLS 3.1.8 (all) |
|||
| 2000-06-12 | BEA00-02.00 | Vulnerability in Default File Servlet configuration | advisory | WLS 5.1 (all) WLS 4.5.2 (all) WLS 4.5.1 (all) WLS 4.0.4 (all) WLS 3.1.8 (all) |
* Threat: The location from which an attack may be launched: "High" indicates a vulnerability that is remotely exploitable; a "Low" threat is a vulnerability that requires local access to the product.
** Severity: The extent of the potential impact: "High" indicates the integrity/availability/confidentiality of the product may be seriously compromised, "Low" indicates a less significant impact on the product's integrity/availability/confidentiality.
*** CVSS Rating: Common Vulnerability Scoring System (CVSS) is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities.
**** In this column, WLPL denotes WebLogic Platform, WLS denotes WebLogic Server and Express, WLI denotes WebLogic Integration, WLE denotes WebLogic Enterprise, LD denotes Liquid Data.
When a vulnerability exists in specific Service Packs, they are specified: for example, WLS 6.1 (-SP2) means that the vulnerability exists in the initial release of WebLogic Server and Express 6.1, as well as in Service Packs 1 and 2. WLS 6.1 means the vulnerability exists in the initial release of WebLogic Server and Express only. WLS 6.1 (all) means that the vulnerability exists in all versions of WebLogic Server and Express 6.1.