Oracle WebLogic Node Manager allows arbitrary configuration via UNC path

2010-10-12T00:00:00
ID VU:924300
Type cert
Reporter CERT
Modified 2011-01-19T14:02:00

Description

Overview

Oracle WebLogic Node Manager 10.3.3 and earlier versions contain a remote file inclusion vulnerability. This vulnerability could allow a remote attacker to execute arbitrary commands on an affected system.

Description

Node Manager is a WebLogic Server utility that enables you to start, shut down, and restart Administration Server and Managed Server instances from a remote location. An unauthenticated attacker has the ability to set the configuration file via UNC path.

An unauthenticated attacker can connect to the Node Manager service and set the configuration file location to a remote UNC path controlled by the attacker. The configuration file specifies the location of the password file, which can also be located on a UNC path controlled by the attacker. After the attacker has authenticated with their own password file they can use built in Node Manager features to execute commands on the Node Manager server.


Impact

A remote attacker with the ability to supply configuration files to an affected system may be able to bypass legitimate authentication checks and execute remote commands on an affected system.


Solution

Apply an Update
Install the Oracle Critical Patch Update for January 2011.


Firewall rules should be implemented to restrict the use of UNC paths on the Node Manager server as well as restricting access to the Node Manager service to only trusted sources.


Vendor Information

924300

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Oracle Corporation

Notified: May 25, 2010 Updated: June 14, 2010

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

<http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html>

Acknowledgements

Thanks to Carl Livitt of Stach & Liu, LLC for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: | None
---|---
Severity Metric:** | 0.95
Date Public:
| 2010-10-12
Date First Published: | 2010-10-12
Date Last Updated: | 2011-01-19 14:02 UTC
Document Revision: | 32