PT-2006-1486 · Bea · Bea Weblogic Server+1
Publicado
2006-01-25
·
Atualizado
2008-09-05
·
CVE-2006-0419
CVSS v2.0
6.4
Média
| Vetor | AV:N/AC:L/Au:N/C:P/I:N/A:P |
Name of the Vulnerable Software and Affected Versions
BEA WebLogic Server and WebLogic Express versions 7.0 through SP6
BEA WebLogic Server and WebLogic Express versions 8.1 through SP5
BEA WebLogic Server and WebLogic Express version 9.0
Description
The issue allows anonymous binds to the embedded LDAP server. This enables remote attackers to read user entries or cause a denial of service by establishing a large number of connections.
Recommendations
For BEA WebLogic Server and WebLogic Express version 9.0, restrict access to the embedded LDAP server to prevent anonymous binds.
For BEA WebLogic Server and WebLogic Express versions 8.1 through SP5, limit the number of connections to the embedded LDAP server to prevent denial of service.
For BEA WebLogic Server and WebLogic Express versions 7.0 through SP6, consider disabling anonymous access to the embedded LDAP server until a fix is available.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Bea Weblogic Server
Weblogic Express