[原文]BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.
WebLogic Express and WebLogic Server contains a flaw that may allow a remote attacker to gain access to unauthorized privileges. The issue is triggered when a weblogic.xml file is edited through Weblogic Builder or the SecurityRoleAssignmentMBean.toXML() method, which causes the permissions to reset to defaults allowing access to the web application. This flaw may lead to a loss of confidentiality.
Currently, there are no known workarounds to correct this issue. However, BEA Systems has released the following solution to address this vulnerability:
For WebLogic Server and WebLogic Express 7.0:
Upgrade to version 7.0 Service Pack 5 and apply the appropriate patch
For WebLogic Server and WebLogic Express 8.1:
Upgrade to version 8.1 Service Pack 2 and apply the appropriate patch