Detections
Analytics
Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 Remote Code Execution
critical Web App Scanning Plugin ID 112706
Language:
Synopsis
Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 Remote Code ExecutionDescription
A vulnerability in Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0 & 12.2.1.3.0 allows an unauthenticated attacker with HTTP access to the service to obtain arbitrary code execution due to an insecure deserialization.Oracle proposes the associated patches on its site to fix the vulnerability.
Solution
Apply the security patches available on Oracle's website.See Also
https://www.oracle.com/security-alerts/alert-cve-2019-2729.html
Plugin Details
Severity: Critical
ID: 112706
Type: remote
Family: Component Vulnerability
Published: 2/25/2021
Updated: 9/7/2021
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2019-2729
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2019-2729
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 6/19/2019
Reference Information
CVE: CVE-2019-2729
BID: 108822
OWASP: 2010-A4, 2010-A8, 2013-A4, 2013-A7, 2013-A9, 2017-A5, 2017-A8, 2017-A9, 2021-A1, 2021-A6, 2021-A8
WASC: Improper Input Handling, Insufficient Authorization
CAPEC: 19, 441, 478, 479, 502, 503, 536, 546, 550, 551, 552, 556, 558, 562, 563, 564, 578, 586
DISA STIG: APSC-DV-000460, APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)
ISO: 27001-A.13.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SI-10(5)
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-1.4.2, 4.0.2-14.2.1, 4.0.2-5.5.1