SB2021101936 - Multiple vulnerabilities in Oracle WebLogic Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021101936

SB2021101936 - Multiple vulnerabilities in Oracle WebLogic Server

Published: October 19, 2021 Updated: July 14, 2022

Security Bulletin ID SB2021101936
Severity
High
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 11% Medium 44% Low 44%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2021-35552)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Diagnostics component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.


2) Path traversal (CVE-ID: CVE-2021-29425)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error within the FileNameUtils.normalize method when processing directory traversal sequences, such as "//../foo", or "\..foo". A remote attacker can send a specially crafted request and verify files availability in the parent folder.


3) XML External Entity Reference (CVE-ID: CVE-2019-12400)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to the loading of XML parsing code from an untrusted source. A remote attacker can exploit this vulnerability to launch further attacks on the system when validating signed documents. 


4) Uncontrolled memory allocation (CVE-ID: CVE-2018-10237)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unbounded memory allocation. A remote attacker can cause the service to crash and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

5) Cross-site scripting (CVE-ID: CVE-2020-11022)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


6) Improper input validation (CVE-ID: CVE-2021-35620)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.


7) Resource exhaustion (CVE-ID: CVE-2020-7226)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within CiphertextHeader.java in Cryptacular. A remote attacker can trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.


8) Improper input validation (CVE-ID: CVE-2021-35617)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Coherence Container component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.


9) Improper access control (CVE-ID: CVE-2018-8088)

The vulnerability allows a remote unauthenticated attacker to bypass access restrictions on the target system.

The weakness exists in the org.slf4j.ext.EventData class due to improper security restrictions. A remote attacker can send specially crafted input, bypass access restrictions and gain unauthorized access to perform further attacks.

Remediation

Install update from vendor's website.

References