Summary

Security Advisory ID : BSA-2016-012

Component : BEA WebLogic

Revision : 2.0: Final

 
The default configuration of BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and earlier, 6.1 through SP6, and 5.1 through SP13 responds to the HTTP TRACE request, which can allow remote attackers to steal information using cross-site tracing (XST) attacks in applications that are vulnerable to cross-site scripting.

Statement
The Apache Software Foundation do not treat this as a security issue. A configuration change can be made to disable the ability to respond to HTTP TRACE requests if required.

For more information please see:
http://www.apacheweek.com/issues/03-01-24#news

Products Confirmed Not Vulnerable
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by this vulnerability.

 

Version	Change	Date
1.0	Initial Publication	Oct 24, 2016
2.0	Updated to cover Fibre Channel Only	Dec 21, 2018

 

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.