Detections
Analytics
Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution
critical Web App Scanning Plugin ID 112704
Language:
Synopsis
Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code ExecutionDescription
A vulnerability in Oracle WebLogic Server 10.3.6.0.0 & 12.1.3.0.0 allows an unauthenticated attacker with HTTP access to the service to obtain arbitrary code execution due to an insecure deserialization.Oracle proposes the associated patches on its site to fix the vulnerability.
Solution
Apply the security patches available on Oracle's website.See Also
https://www.oracle.com/security-alerts/alert-cve-2019-2725.html
Plugin Details
Severity: Critical
ID: 112704
Type: remote
Family: Component Vulnerability
Published: 2/19/2021
Updated: 9/7/2021
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Critical
Score: 9.8
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2019-2725
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2019-2725
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 4/26/2019
CISA Known Exploited Vulnerability Due Dates: 7/10/2022
Reference Information
CVE: CVE-2019-2725
BID: 108074
OWASP: 2010-A1, 2010-A4, 2013-A1, 2013-A4, 2013-A9, 2017-A1, 2017-A8, 2017-A9, 2021-A3, 2021-A6, 2021-A8
WASC: Improper Input Handling
CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 586, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10, sp800_53-SI-10(5)
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5, 4.0.2-5.5.1