Oracle WebLogic Server Multiple Vulnerabilities (January 2016 CPU)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

An application server installed on the remote host is affected by
multiple vulnerabilities.

Description :

The version of Oracle WebLogic Server installed on the remote host is
affected by multiple vulnerabilities :

- The Sites subcomponent is affected by a security bypass
vulnerability in the Apache Xalan-Java library due to a
failure to properly restrict access to certain
properties when FEATURE_SECURE_PROCESSING is enabled. A
remote attacker can exploit this to bypass restrictions
and load arbitrary classes or access external resources.
(CVE-2014-0107)

- The WLS Security component is affected by a remote code
execution vulnerability due to unsafe deserialize calls
of unauthenticated Java objects to the Apache Commons
Collections (ACC) library. A remote attacker, via a
crafted serialized Java object in T3 protocol traffic to
TCP port 7001, can exploit this to execute arbitrary
commands. (CVE-2015-4852)

- An unspecified vulnerability exists in the WLS-Console
subcomponent that allows a remote attacker to affect
the integrity of the system. No other details are
available. (CVE-2016-0464)

- An unspecified vulnerability exists in the Coherence
Container subcomponent that allows a remote attacker to
affect the confidentiality, integrity, and availability
of the system. No other details are available.
(CVE-2016-0572)

- An unspecified vulnerability exists in the WLS Java
Messaging Service subcomponent that allows a remote
attacker to affect the confidentiality, integrity, and
availability of the system. No other details are
available. (CVE-2016-0573)

- Multiple unspecified vulnerabilities exist in the WLS
Core Components subcomponent that allow a remote
attacker to affect the confidentiality, integrity, and
availability of the system. No other details are
available. (CVE-2016-0574, CVE-2016-0577)

See also :

http://www.nessus.org/u?da1a16c5
http://www.nessus.org/u?e643827d
http://www.nessus.org/u?e0204f30

Solution :

Apply the appropriate patch according to the January 2016 Oracle
Critical Patch Update advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now