Multiple vulnerabilities in Oracle WebLogic Server



Published: 2022-07-20 | Updated: 2023-01-22
Risk Critical
Patch available YES
Number of vulnerabilities 15
CVE-ID CVE-2022-21564
CVE-2022-21560
CVE-2022-21557
CVE-2022-29577
CVE-2022-21548
CVE-2021-40690
CVE-2020-28491
CVE-2022-24839
CVE-2020-36518
CVE-2020-11987
CVE-2021-2351
CVE-2021-26291
CVE-2022-22965
CVE-2021-23450
CVE-2022-23457
CWE-ID CWE-20
CWE-200
CWE-787
CWE-918
CWE-346
CWE-94
CWE-22
Exploitation vector Network
Public exploit Vulnerability #13 is being exploited in the wild.
Vulnerable software
Subscribe
Oracle WebLogic Server
Server applications / Application servers

Vendor Oracle

Security Bulletin

This security bulletin contains information about 15 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU65492

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21564

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Web Services component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper input validation

EUVDB-ID: #VU65491

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21560

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Improper input validation

EUVDB-ID: #VU65490

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-21557

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a local privileged user to read and manipulate data.

The vulnerability exists due to improper input validation within the Web Container component in Oracle WebLogic Server. A local privileged user can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Improper input validation

EUVDB-ID: #VU65469

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-29577

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Enterprise Manager Install (AntiSamy) component in Enterprise Manager Base Platform. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

5) Improper input validation

EUVDB-ID: #VU65488

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-21548

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The vulnerability exists due to improper input validation within the Core component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to manipulate or delete data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

6) Information disclosure

EUVDB-ID: #VU58198

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-40690

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. A remote attacker can abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

7) Input validation error

EUVDB-ID: #VU60986

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-28491

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

8) Improper input validation

EUVDB-ID: #VU65486

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-24839

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Centralized Third Party Jars (NekoHTML) component in Oracle WebLogic Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

9) Out-of-bounds write

EUVDB-ID: #VU61799

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-36518

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can trigger out-of-bounds write and cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

10) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU52501

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-11987

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

11) Improper input validation

EUVDB-ID: #VU55044

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-2351

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Advanced Networking Option in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

12) Origin validation error

EUVDB-ID: #VU62492

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-26291

CWE-ID: CWE-346 - Origin Validation Error

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Apache Maven follows by default all repositories that are defined in a dependency’s Project Object Model (pom), including repositories accessible over HTTP protocol (e.g. without TLS encryption). A remote attacker can perform MitM attack and compromise the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 12.2.1.4.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

13) Code Injection

EUVDB-ID: #VU61756

Risk: Critical

CVSSv3.1:

CVE-ID: CVE-2022-22965

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted HTTP request to the affected application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Note, the vulnerability is being actively exploited in the wild.

This vulnerability was dubbed "Spring4Shell".

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

14) Code Injection

EUVDB-ID: #VU60834

Risk: High

CVSSv3.1:

CVE-ID: CVE-2021-23450

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can inject and execute arbitrary script code via the setObject function.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.4.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

15) Path traversal

EUVDB-ID: #VU63479

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-23457

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in getValidDirectoryPath. A remote attacker can send a specially crafted HTTP request and allow control-flow bypass checks to be defeated.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Oracle WebLogic Server: 12.2.1.3.0 - 14.1.1.0.0


CPE2.3 External links

http://www.oracle.com/security-alerts/cpujul2022.html?3219

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###