Oracle Security Alert for CVE-2010-0073
Description
This Security Alert addresses security issue CVE-2010-0073, a vulnerability in the Node Manager component of Oracle WebLogic Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system.
Supported and Affected Products
- Oracle WebLogic Server 11gR1 releases (10.3.1 and 10.3.2)
- Oracle WebLogic Server 10gR3 release (10.3.0)
- Oracle WebLogic Server 10.0 through MP2
- Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
- Oracle WebLogic Server 8.1 through SP6
- Oracle WebLogic Server 7.0 through SP7
Patch Availability
Patches and relevant information for protection against this vulnerability can be found here.
Oracle strongly recommends that the fix for this vulnerability be applied as soon as possible.
Oracle also strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.
It is also strongly recommended that customers apply January 2010 and earlier Critical Patch Updates. Oracle WebLogic Server Critical Patch Update patches are cumulative at sub-component level (e.g. WLS console, Web application, Node Manager are sub-components). The January 2010 Critical Patch Update patches include all the security fixes released since the July 2009 Critical Patch Update. The patches in January 2010 Critical Patch Update do not include all the earlier advisories prior to July 2009 Critical Patch Update (unless otherwise noted). So, WebLogic Server customers should refer to Previous Security Advisories to identify previous security fixes they want to apply.
Risk Matrix
Vuln# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Last Affected Patch set (per Supported Release) | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2010-0073 | WebLogic Server | Network | Node Manager | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2 | See Note below |
Note:
- The CVSS Base Score is 10.0 only for Windows on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Complete.
- The CVSS Base Score is 7.5 for Linux, Unix and other platforms on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Partial+.
- The CVSS Base Score is 5.0 for WebLogic Server versions 7.0. and 8.1 for all platforms. The impacts for Confidentiality and Integrity are None and Availability is Partial+.
Mitigation
Restricting access to the Node Manager port through firewalls or other network access controls will prevent the exploitation of this vulnerability by anonymous Internet users. In addition, organizations should consider updating their policies to permit access to this port only by trusted subnet/users.
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
- Patch Availability for Oracle WebLogic Server for CVE-2010-0073 [ CVE-2010-0073 ]
Modification History
04-February-2010 | Initial release |