SB2021042539 - Multiple vulnerabilities in Oracle WebLogic Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021042539

SB2021042539 - Multiple vulnerabilities in Oracle WebLogic Server

Published: April 25, 2021

Security Bulletin ID SB2021042539
Severity
High
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 60% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2021-2214)

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Console component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.


2) Improper input validation (CVE-ID: CVE-2021-2204)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


3) Improper input validation (CVE-ID: CVE-2021-2211)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Web Services component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


4) Improper input validation (CVE-ID: CVE-2021-2142)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Console component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


5) Improper input validation (CVE-ID: CVE-2021-2294)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to manipulate or delete data.


6) Improper input validation (CVE-ID: CVE-2019-3740)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Comp Management and Life Cycle Management (RSA BSAFE Crypto-J) component in Application Performance Management (APM). A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


7) Protection mechanism failure (CVE-ID: CVE-2019-10086)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.


8) Improper input validation (CVE-ID: CVE-2021-2157)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the TopLink Integration component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


9) Improper input validation (CVE-ID: CVE-2021-2135)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Coherence Container component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


10) Improper input validation (CVE-ID: CVE-2021-2136)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


Remediation

Install update from vendor's website.

References