Detections
Analytics

Oracle WebLogic Server (Apr 2022 CPU)

critical Nessus Plugin ID 160036

Language:

Synopsis

An application server installed on the remote host is affected by multiple vulnerabilities

Description

The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the April 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

 - A temp directory creation vulnerability in the bundled Guava component that allows a low privileged attacker with logon access to the infrastructure where Oracle WebLogic Server executes to gain read access to a subset of data accessible to Oracle WebLogic Server. (CVE-2020-8908)

 - An improper input validation flaw in the bundled JBoss Enterprise Application Platform that allows an unauthenticated attacker with network access via HTTP update, insert or delete access to a subset of data accessible to Oracle WebLogic Server. (CVE-2021-28170)

 - A cross-site scripting vulnerability in the bundled JQuery component that allows an unauthenticated attacker with network access via HTTP, with human interaction from another user, update, insert, delete and read access to a subset of data accessible to Oracle WebLogic Server. (CVE-2021-41184)

 - A denial of service vulnerability in the core component of Oracle WebLogic Server that allows an unauthenticated attacker with network access via T3/IIOP to cause a hang or frequently repeatable crash of the Oracle WebLogic Server. (CVE-2022-21441)

 - A vulnerability in the console component of Oracle WebLogic Server that allows an unauthenticated attacker with network access via HTTP, with human interaction from another user, update, insert, delete and read access to a subset of the data accessible to Oracle WebLogic Server. (CVE-2022-21453)

 - A SQL injection vulnerability in the bundled Log4J component that allows an unauthenticated attacker with network access via HTTP to execute arbitrary code on the Oracle WebLogic Server. (CVE-2022-23305)

 - An XML injection vulnerability in the bundled Apache Xerces Java component that allows an unauthenticated attacker with network access via HTTP, with human interaction from another user, to cause a hang or frequently repeatable crash of Oracle WebLogic Server. (CVE-2022-23437)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the April 2022 Oracle Critical Patch Update advisory.

See Also

https://www.oracle.com/docs/tech/security-alerts/cpuapr2022cvrf.xml

https://www.oracle.com/security-alerts/cpuapr2022.html

Plugin Details

Severity: Critical

ID: 160036

File Name: oracle_weblogic_server_cpu_apr_2022.nasl

Version: 1.6

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 4/21/2022

Updated: 12/30/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-23305

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:oracle:fusion_middleware, cpe:/a:oracle:weblogic_server

Required KB Items: installed_sw/Oracle WebLogic Server

Exploit Ease: No known exploits are available

Patch Publication Date: 4/19/2022

Vulnerability Publication Date: 4/19/2022

Reference Information

CVE: CVE-2020-8908, CVE-2021-28170, CVE-2021-41184, CVE-2022-21441, CVE-2022-21453, CVE-2022-23305, CVE-2022-23437

IAVA: 2022-A-0171