Security Hole in Fusion Middleware 11g WebLogic Admin Server

Posted by Dirk Nachbar on Wednesday, August 05, 2009 with No comments
After a little bit playing with the new Fusion Middleware 11g I found a small security hole in the WebLogic Admin Server.

In order to start the WebLogic Admin Server Oracle provides you a shellscript $MW_HOME/user_projects/domains/$DOMAIN_NAME/startWebLogic.sh

The first way you can use this script is in an interactive way, just execute the script and it will prompt you for the WebLogic Admin-User and his Password. But this methode is not usefull for e.g. RunLevel Scripts :-)
So the second way is, you can buildup a wrapperscript in which you define two Variables (WLS_USER and WLS_PW for the WebLogic Admin-User and his Password) and execute out of this wrapperscript the startWebLogic.sh script to start the WebLogic Admin Server without prompting of the User and Password.

But be aware, if you use the second option, the WebLogic Admin-User and his Password will be displayed in cleartext in the ps-List :-(

In the last line of the ps-List you will see username=weblogic and password=oracle11g

To get out of this problem, just create under your directory $MW_HOME/user_projects/domains/$DOMAIN_NAME/servers/AdminServer/security a file named boot.properties with the content
username=your_admin_user
password=your_admin_user_password
and with this boot.properties file you will not be prompted for the WebLogic Admin-User and his Password and moreover it will not be displayed at the ps-List :-)

Reaktionen: