09 february, 2010
DescriptionThis Security Alert addresses security issue CVE-2010-0073, a vulnerability in the Node Manager component of Oracle WebLogic Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A knowledgeable and malicious remote user can exploit this vulnerability which can result in impacting the availability, integrity and confidentiality of the targeted system.
Supported and Affected Products
• Oracle WebLogic Server 11gR1 releases (10.3.1 and 10.3.2)
• Oracle WebLogic Server 10gR3 release (10.3.0)
• Oracle WebLogic Server 10.0 through MP2
• Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
• Oracle WebLogic Server 8.1 through SP6
• Oracle WebLogic Server 7.0 through SP7
Patch Availability
Patches and relevant information for protection against this vulnerability can be found at:
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1058764.1
Oracle strongly recommends that the fix for this vulnerability be applied as soon as possible.
Oracle also strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch or workaround prior to deleting any of the original file(s) that are replaced by a patch or workaround.
It is also strongly recommended that customers apply January 2010 and earlier Critical Patch Updates. Oracle WebLogic Server Critical Patch Update patches are cumulative at sub-component level (e.g. WLS console, Web application, Node Manager are sub-components). The January 2010 Critical Patch Update patches include all the security fixes released since the July 2009 Critical Patch Update. The patches in January 2010 Critical Patch Update do not include all the earlier advisories prior to July 2009 Critical Patch Update (unless otherwise noted). So, WebLogic Server customers should refer to Previous Security Advisories to identify previous security fixes they want to apply.
Risk Matrix
Vuln# Component Protocol Package and/or Privilege Required Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Last Affected Patch set (per Supported Release) Notes
Base Score Access Vector Access Complexity Authentication Confidentiality Integrity Availability
CVE-2010-0073 WebLogic Server Network Node Manager Yes 10.0 Network Low None Complete Complete Complete 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2
See Note below
Note:
The CVSS Base Score is 10.0 only for Windows on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Complete.
The CVSS Base Score is 7.5 for Linux, Unix and other platforms on WebLogic Server versions 9.0 and later. The impacts for Confidentiality, Integrity and Availability are Partial+.
The CVSS Base Score is 5.0 for WebLogic Server versions 7.0. and 8.1 for all platforms. The impacts for Confidentiality and Integrity are None and Availability is Partial+.
Mitigation
Restricting access to the Node Manager port through firewalls or other network access controls will prevent the exploitation of this vulnerability by anonymous Internet users. In addition, organizations should consider updating their policies to permit access to this port only by trusted subnet/users.
References
Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
Risk Matrix definitions [ Risk Matrix Definitions ]
Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
Software Error Correction Support Policy [My Oracle Support Note 209768.1 ]
Patch Availability for Oracle WebLogic Server for CVE-2010-0073 [CVE-2010-0073 ]
Modification History
04-February-2010 Initial release