Outlook Series | Oracle Releases Security Alert CVE-2010-0073 for WebLogic Server Vulnerability

Oracle Releases Security Alert CVE-2010-0073 for WebLogic Server Vulnerability

February 8, 2010

Oracle has released a security alert to address a vulnerability in Oracle WebLogic Server. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands on an affected system.

US-CERT encourages users and administrators to review the Oracle security alert and apply any necessary updates to help mitigate the risks.

Oracle Security Alert for CVE-2010-0073

Description

This Security Alert addresses security issue CVE-2010-0073, a vulnerability in the Node Manager component of Oracle WebLogic Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system.

Supported and Affected Products

• Oracle WebLogic Server 11gR1 releases (10.3.1 and 10.3.2)
• Oracle WebLogic Server 10gR3 release (10.3.0)
• Oracle WebLogic Server 10.0 through MP2
• Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
• Oracle WebLogic Server 8.1 through SP6
• Oracle WebLogic Server 7.0 through SP7

Patch Availability

Patches and relevant information for protection against this vulnerability can be found at:

https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1058764.1

Oracle strongly recommends that the fix for this vulnerability be applied as soon as possible.

Oracle also strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.

It is also strongly recommended that customers apply January 2010 and earlier Critical Patch Updates. Oracle WebLogic Server Critical Patch Update patches are cumulative at sub-component level (e.g. WLS console, Web application, Node Manager are sub-components). The January 2010 Critical Patch Update patches include all the security fixes released since the July 2009 Critical Patch Update. The patches in January 2010 Critical Patch Update do not include all the earlier advisories prior to July 2009 Critical Patch Update (unless otherwise noted). So, WebLogic Server customers should refer to Previous Security Advisories to identify previous security fixes they want to apply.

Note:

The CVSS Base Score is 10.0 only for Windows on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Complete.
The CVSS Base Score is 7.5 for Linux, Unix and other platforms on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Partial+.
The CVSS Base Score is 5.0 for WebLogic Server versions 7.0. and 8.1 for all platforms. The impacts for Confidentiality and Integrity are None and Availability is Partial+.

Mitigation

Restricting access to the Node Manager port through firewalls or other network access controls will prevent the exploitation of this vulnerability by anonymous Internet users. In addition, organizations should consider updating their policies to permit access to this port only by trusted subnet/users.

References

Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network]
Software Error Correction Support Policy [My Oracle Support Note 209768.1 ]
Patch Availability for Oracle WebLogic Server for CVE-2010-0073 [CVE-2010-0073 ]

Modification History

04-February-2010

Initial release