Lucene search

K
nessusThis script is Copyright (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLE_WEBLOGIC_SERVER_CPU_JAN_2016.NBIN
HistoryJan 21, 2016 - 12:00 a.m.

Oracle WebLogic Server Multiple Vulnerabilities (January 2016 CPU)

2016-01-2100:00:00
This script is Copyright (C) 2016-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
69

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.967

Percentile

99.7%

The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities :

  • The Sites subcomponent is affected by a security bypass vulnerability in the Apache Xalan-Java library due to a failure to properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled. A remote attacker can exploit this to bypass restrictions and load arbitrary classes or access external resources.
    (CVE-2014-0107)

  • The WLS Security component is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. A remote attacker, via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, can exploit this to execute arbitrary commands. (CVE-2015-4852)

  • An unspecified vulnerability exists in the WLS-Console subcomponent that allows a remote attacker to affect the integrity of the system. No other details are available. (CVE-2016-0464)

  • An unspecified vulnerability exists in the Coherence Container subcomponent that allows a remote attacker to affect the confidentiality, integrity, and availability of the system. No other details are available.
    (CVE-2016-0572)

  • An unspecified vulnerability exists in the WLS Java Messaging Service subcomponent that allows a remote attacker to affect the confidentiality, integrity, and availability of the system. No other details are available. (CVE-2016-0573)

  • Multiple unspecified vulnerabilities exist in the WLS Core Components subcomponent that allow a remote attacker to affect the confidentiality, integrity, and availability of the system. No other details are available. (CVE-2016-0574, CVE-2016-0577)

Binary data oracle_weblogic_server_cpu_jan_2016.nbin
VendorProductVersionCPE
oracleweblogic_servercpe:/a:oracle:weblogic_server
oraclefusion_middlewarecpe:/a:oracle:fusion_middleware

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.967

Percentile

99.7%