Oracle WebLogic Server Multiple Vulnerabilities (July 2017 CPU)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

An application server installed on the remote host is affected by
multiple vulnerabilities.

Description :

The version of Oracle WebLogic Server installed on the remote host is
affected by multiple vulnerabilities :

- A flaw exists in Jython due to executable classes being
created with insecure permissions. A local attacker can
exploit this to bypass intended access restrictions and
thereby disclose sensitive information or gain elevated
privileges. (CVE-2013-2027)

- A remote code execution vulnerability exists in the
Apache Struts component in the Jakarta Multipart parser
due to improper handling of the Content-Type,
Content-Disposition, and Content-Length headers.
An unauthenticated, remote attacker can exploit this,
via a specially crafted header value in the HTTP
request, to execute arbitrary code. (CVE-2017-5638)

- An unspecified flaw exists in the Web Services component
that allows an unauthenticated, remote attacker to have
an impact on integrity and availability.
(CVE-2017-10063)

- An unspecified flaw exists in the Web Container
component that allows an authenticated, remote attacker
to disclose sensitive information. (CVE-2017-10123)

- An unspecified flaw exists in the JNDI component that
allows an unauthenticated, remote attacker to execute
arbitrary code. (CVE-2017-10137)

- An unspecified flaw exists in the Core Components that
allows an unauthenticated, remote attacker to cause a
denial of service condition. (CVE-2017-10147)

- An unspecified flaw exists in the Core Components that
allows an unauthenticated, remote attacker to have an
impact on integrity. (CVE-2017-10148)

- An unspecified flaw exists in the Web Container
component that allows an unauthenticated, remote
attacker to have an impact on confidentiality and
integrity. (CVE-2017-10178)

See also :

http://www.nessus.org/u?76f5def7

Solution :

Apply the appropriate patch according to the July 2017 Oracle
Critical Patch Update advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.3
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now