Multiple vulnerabilities in Oracle WebLogic Server



Published: 2020-01-14 | Updated: 2023-11-16
Risk High
Patch available YES
Number of vulnerabilities 11
CVE-ID CVE-2020-2552
CVE-2020-2548
CVE-2020-2544
CVE-2020-2519
CVE-2020-2547
CVE-2020-2550
CVE-2020-2546
CVE-2020-6950
CVE-2019-17359
CVE-2020-2549
CVE-2020-2551
CWE-ID CWE-20
CWE-401
Exploitation vector Network
Public exploit Public exploit code for vulnerability #7 is available.
Vulnerability #11 is being exploited in the wild.
Vulnerable software
Subscribe
Oracle WebLogic Server
Server applications / Application servers

Vendor Oracle

Security Bulletin

This security bulletin contains information about 11 vulnerabilities.

Updated: 13.03.2020

Added link to PoC for vulnerability #11.

1) Improper input validation

EUVDB-ID: #VU25072

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2552

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the WLS Core Components component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to read and manipulate data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0 - 12.1.3.0.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU25071

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2548

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the WLS Core Components component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to read and manipulate data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU25074

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2544

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Console component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0 - 12.2.1.4.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU25075

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2519

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Console component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0 - 12.2.1.4.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU25070

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2547

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the Console component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to read and manipulate data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0 - 12.2.1.4.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU25069

Risk: Low

CVSSv3.1: 4.5 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2550

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the WLS Core Components component in Oracle WebLogic Server. A local privileged user can exploit this vulnerability to read and manipulate data.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0 - 12.2.1.4.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper input validation

EUVDB-ID: #VU25050

Risk: High

CVSSv3.1: 8.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2020-2546

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Application Container - JavaEE component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0 - 12.1.3.0.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

8) Improper input validation

EUVDB-ID: #VU25052

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-6950

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Web Container (JavaServer Faces) component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 12.2.1.4.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Memory leak

EUVDB-ID: #VU22272

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17359

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in the ASN.1 parser. A remote attacker can send a specially crafted ASN.1 data and cause an OutOfMemoryError and perform denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 12.2.1.4.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper input validation

EUVDB-ID: #VU25054

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2549

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the WLS Core Components component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU25049

Risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2020-2551

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the WLS Core Components component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 10.3.6.0.0 - 12.2.1.4.0

External links

http://www.oracle.com/security-alerts/cpujan2020.html
http://www.r4v3zn.com/posts/b64d9185/
http://github.com/0nise/CVE-2020-2551


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###