|
| |
|
Security Intelligence Operations
Oracle WebLogic Server Administration Console Remote Cross-Site Scripting Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Exploit Host or Network Trust: Cross-Site Scripting |
|
| IntelliShield ID: | 19313 |
| Version: | 1 |
| First Published: | November 02, 2009 02:56 PM EST |
| Last Published: | November 02, 2009 02:56 PM EST |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2009-3396 |
| BugTraq ID: | 36766 |
| |
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Mild Damage
|  |
| CVSS Base: | 4.3 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 3.2 |
|
|
| |
| Version Summary: | Oracle WebLogic Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks. Updates are available. |
| |
| |
| Description |
|
Oracle WebLogic Server contains a vulnerability that could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerability is in the WebLogic Administration Console. An attacker could exploit the vulnerability by creating a malicious link and convincing a targeted user to follow it. If the user clicks the link, the attacker could execute arbitrary script code in the user's browser in the security context of the affected site.
Oracle has confirmed this vulnerability and released updated software. |
| |
| Warning Indicators |
|
Oracle Web Logic Server versions 9.0, 9.1, 9.2.3 and prior, 10.0.1 and prior, and 10.3 are vulnerable. |
| |
| IntelliShield Analysis |
|
To exploit the vulnerability, an attacker will need to persuade a targeted user to click a malicious link. This action will typically require the use of social engineering tactics, such as sending the link via e-mail, instant messaging, or other forms of communication.
The Oracle Critical Patch Update for October 2009 lists and confirms CVE-2009-3396 as corrected; however, Oracle has not provided technical details for the vulnerability. |
| |
| Vendor Announcements |
|
Oracle has released a security advisory at the following link: Oracle Critical Patch Update October 2009 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary script code in the user's browser in the security context of the affected site. Code execution could allow the attacker to take actions as the user on the affected site or to obtain recently submitted data. |
| |
| Technical Information |
|
Additional technical information is not available. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate updates.
Users should verify that unsolicited links are safe to follow.
Users are advised not to open e-mail messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in e-mail messages are safe, they are advised not to open them. |
| |
| Patches/Software |
|
Oracle has released patches for registered users at the following link: Oracle |
|
| |
| Alert History |
| |
Initial Release |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
