Oracle WebLogic Server Multiple Vulnerabilities (October 2016 CPU)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

An application server installed on the remote host is affected by
multiple vulnerabilities.

Description :

The version of Oracle WebLogic Server installed on the remote host is
affected by multiple vulnerabilities :

- A remote code execution vulnerability exists in the
JMXInvokerServlet interface due to unsafe deserialize
calls of unauthenticated Java objects to the Apache
Commons Collections (ACC) library. An unauthenticated,
remote attacker can exploit this to execute arbitrary
code. (CVE-2015-7501)

- An unspecified flaw exists in the Java Server Faces
subcomponent that allows an authenticated, remote
attacker to execute arbitrary code. (CVE-2016-3505)

- An unspecified flaw exists in the Web Container
subcomponent that allows an unauthenticated, remote
attacker to cause a denial of service condition.
(CVE-2016-5488)

- An unspecified flaw exists in the WLS-WebServices
subcomponent that allows an unauthenticated, remote
attacker to execute arbitrary code. (CVE-2016-5531)

- An unspecified flaw that allows an unauthenticated,
remote attacker to execute arbitrary code. No other
details are available. (CVE-2016-5535)

- An unspecified flaw exists in the CIE Related
subcomponent that allows a local attacker to impact
confidentiality and integrity. (CVE-2016-5601)

See also :

http://www.nessus.org/u?bac902d5
http://www.nessus.org/u?e0204f30

Solution :

Apply the appropriate patch according to the October 2016 Oracle
Critical Patch Update advisory.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 9.5
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now