Assistance With Patching WebLogic Vulnerabilities
(Doc ID 2635817.1)
Last updated on JANUARY 18, 2024
Applies to:
Oracle Communications Converged Application Server - Version 7.1 and laterInformation in this document applies to any platform.
Goal
Assistance with patching WebLogic vulnerabilities.
How to address the following vulnerbilities on weblogic 12.2.1.3.0?
- The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons File Upload library. An unauthenticated, remote attacker can exploit this, via a crafted a DiskFileItem object, to execute arbitrary code in the context of the WebLogic server.
- The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
Note that this plugin does not attempt to exploit this RCE directly and instead checks for the presence of the patch Oracle supplied in the April 2018 critical patch update (CPU).
- The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
Solution
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
Goal |
Solution |
References |