This Security Alert addresses security issue CVE-2010-0073, a vulnerability in the Node Manager component of Oracle WebLogic Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system.
Patches and relevant information for protection against this vulnerability can be found here.
Oracle strongly recommends that the fix for this vulnerability be applied as soon as possible.
Oracle also strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.
It is also strongly recommended that customers apply January 2010 and earlier Critical Patch Updates. Oracle WebLogic Server Critical Patch Update patches are cumulative at sub-component level (e.g. WLS console, Web application, Node Manager are sub-components). The January 2010 Critical Patch Update patches include all the security fixes released since the July 2009 Critical Patch Update. The patches in January 2010 Critical Patch Update do not include all the earlier advisories prior to July 2009 Critical Patch Update (unless otherwise noted). So, WebLogic Server customers should refer to Previous Security Advisories to identify previous security fixes they want to apply.
|Vuln#||Component||Protocol||Package and/or Privilege Required||Remote Exploit without Auth.?||CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)||Last Affected Patch set (per Supported Release)||Notes|
|Base Score||Access Vector||Access Complexity||Authentication||Confidentiality||Integrity||Availability|
|CVE-2010-0073||WebLogic Server||Network||Node Manager||Yes||10.0||Network||Low||None||Complete||Complete||Complete||7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2||See Note below|
Restricting access to the Node Manager port through firewalls or other network access controls will prevent the exploitation of this vulnerability by anonymous Internet users. In addition, organizations should consider updating their policies to permit access to this port only by trusted subnet/users.