000020333 - Is ClearTrust affected by BEA WebLogic security vulnerability BEA03-29.00?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020333
Applies ToRSA ClearTrust 5.0.x
IssueIs ClearTrust affected by BEA WebLogic security vulnerability BEA03-29.00?
CauseBEA describes this vulnerability as follows: JNDI access is protected by the WebLogic Server via policies set in the console. We protect the JNDI tree with three permissions: "lookup", "modify", and "list". The "modify" permission is supposed to protect against items in the JNDI tree being added, deleted, or changed. Due to a coding mistake in WebLogic Server, the "modify" permission does not protect against the deletion of empty sub-contexts, that is, all users can delete empty sub-contexts.
ResolutionAlthough there is little to no risk of this vulnerability affecting ClearTrust's integration with the BEA WebLogic product, RSA strongly recommends that customers using BEA WebLogic visit BEA's advisory web site to download the latest service pack and/or patch releases to ensure that such vulnerabilities are addressed accordingly.
Legacy Article IDa16044

Attachments

    Outcomes