Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

Vulnerabilities in webserviceclient+ssl.jar in Weblogic 10.3 server

 
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

I am using Weblogic server 10.3. While checking for the vulnerabilities in project, came across CVE-2007-0417,CVE-2003-0640,CVE-2001-0098,CVE-2000-0681,CVE-2007-4618,CVE-2007-4617,CVE-2007-0425,CVE-2007-0418,CVE-2007-0408,CVE-2005-4757,CVE-2005-4756 all high vulnerabilities present in webserviceclient+ssl.jar. The description of these vulnerabilities says that they should be present in previous versions of Weblogic and should work fine in 10.3.

I am not sure, may be I have missed something while understanding as I am new to this.
Please suggest me the way to resolve these security concerns.

Thanks in Advance!
 
Greenhorn
Posts: 20
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
All these are very old vulnerabilities and they should have been fixed by now. Also its not specific to webserviceclient+ssl.jar.
You can secure your server further following my recommendations here

http://weblogic-wonders.com/weblogic/2014/06/24/recommended-best-practices-securing-weblogic-server/

Thanks,
Faisal
 
Apporva Singh
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Faisal.
Actually for some old implementation reasons only "webserviceclient+ssl.jar" jar is kept in our project's third party jars. I am not scanning the Weblogic server or its libraries, I am just scanning all the third party jars and hence "webserviceclient+ssl.jar" is also scanned. As you said and the description of these CVE-ID's also says that these are related to Weblogic Server (earlier versions than 10gR3). But strangely, these vulnerabilities are shown for "webserviceclient+ssl.jar" jar. I am using OWASP Dependency Check tool for scanning the libraries.
I have attached the report for your reference which says that these issues are present in "webserviceclient+ssl.jar" jar.

Thanks.
 
I have a knack for fixing things like this ... um ... sorry ... here is a consilitory tiny ad:
Enterprise-grade Excel API for Java
https://products.aspose.com/cells/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!