CVE-2004-1755

Vulnerability

The Web Services fat client for BEA WebLogic Server and Express 7.0 SP4 and earlier fails to properly associate a user's identity when a client establishes multiple 2-way SSL connections to the same URL using different client certificates. After the first successful connection, subsequent connections may reuse the previously cached identity instead of correctly associating the new client certificate with the appropriate user [1]. This affects all platforms for the specified versions.

Exploitation

An attacker must have a valid client certificate and the ability to initiate multiple SSL connections to the same target URL. No special network position beyond normal client connectivity is required. The attacker first establishes a connection using their own certificate, and then on a subsequent connection presents a different client certificate (e.g., one belonging to a different user) to the server. The server may incorrectly associate the attacker with the identity from the earlier connection, effectively reusing the previous identity [1].

Impact

A successful attack allows one user to execute commands or access resources as another user, effectively allowing privilege escalation. The attacker gains the identity and associated permissions of the user whose certificate was used in the initial connection, leading to unauthorized actions and potential full compromise of the affected user's account and data [1].

Mitigation

BEA released a patch to address this vulnerability. Users should upgrade to WebLogic Server 7.0 Service Pack 4 and apply the patch from BEA [1]. No workaround is documented; the permanent fix is to apply the patch. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.