Archive for April, 2011

Save the datasources, save the world.

by on Tuesday, April 5th, 2011

The Problem

While going about a routine hey, what’s that do at work, we discovered that, by default, Weblogic is configured to allow remote access to all JNDI resources. These resources include JDBC datasources. Datasources are defined to connect to a database as a specific user (this can be a proxy user, but not necessarily). What this means, is some intelligent person could gain access to the datasources configured on a Weblogic server and have all the powers allowed by the user defined in that datasource. This takes various levels of knowledge to be able to gain the correct host and port, and to be able to pass the right SQL to perform malicious operations. However difficult it may be, it is still a possibility.

With that in mind, Weblogic does provide a way to lock this down via security constraints. In fact, you can lock down many resources via these security policies which appear to be pretty open by default. However, enabling constraints can cause problems. Stack traces like the following can appear:

Cannot open connection; uncategorized SQLException for SQL [???]; SQL state [null];
error code [0]; weblogic.common.resourcepool.ResourcePermissionsException: User ""
does not have permission to perform operation "reserve" on resource "jdbc/xyz" of
module "null" of application "null" of type "ConnectionPool";

This presents us with the heart of the problem, how do we go about limiting access to these datasources and still allow the applications we maintain to function.