Oracle Security Alert for CVE-2010-0073

Description

This Security Alert addresses security issue CVE-2010-0073, a vulnerability in the Node Manager component of Oracle WebLogic Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system.
 

Supported and Affected Products


• Oracle WebLogic Server 11gR1 releases (10.3.1 and 10.3.2)     
• Oracle WebLogic Server 10gR3 release (10.3.0)     
• Oracle WebLogic Server 10.0 through MP2     
• Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3     
• Oracle WebLogic Server 8.1 through SP6     
• Oracle WebLogic Server 7.0 through SP7     

Patch Availability

Patches and relevant information for protection against this vulnerability can be found at:

   https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1058764.1

Oracle strongly recommends that the fix for this vulnerability be applied as soon as possible.

Oracle also strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.

It is also strongly recommended that customers apply January 2010 and earlier Critical Patch Updates. Oracle WebLogic Server Critical Patch Update patches are cumulative at sub-component level (e.g. WLS console, Web application, Node Manager are sub-components). The January 2010 Critical Patch Update patches include all the security fixes released since the July 2009 Critical Patch Update. The patches in January 2010 Critical Patch Update do not include all the earlier advisories prior to July 2009 Critical Patch Update (unless otherwise noted). So, WebLogic Server customers should refer to Previous Security Advisories to identify previous security fixes they want to apply.


Risk Matrix


Vuln# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Last Affected Patch set (per Supported Release) Notes
Base Score Access Vector Access Complexity Authentication Confidentiality Integrity Availability
CVE-2010-0073 WebLogic Server Network Node Manager Yes 10.0 Network Low None Complete Complete Complete

7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2

See Note below
 

Note:

  • The CVSS Base Score is 10.0 only for Windows on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Complete.
  • The CVSS Base Score is 7.5 for Linux, Unix and other platforms on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Partial+.
  • The CVSS Base Score is 5.0 for WebLogic Server versions 7.0. and 8.1 for all platforms. The impacts for Confidentiality and Integrity are None and Availability is Partial+.

Mitigation

Restricting access to the Node Manager port through firewalls or other network access controls will prevent the exploitation of this vulnerability by anonymous Internet users. In addition, organizations should consider updating their policies to permit access to this port only by trusted subnet/users.


References


Modification History


04-February-2010 Initial release