Oracle WebLogic Server contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code. Updates are available.
Oracle WebLogic Server contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code.
The vulnerability exists due to an unspecified error in the Node Manager component. An unauthenticated, remote attacker could exploit this vulnerability through unspecified means to execute arbitrary code with the privileges of the affected application.
Oracle has confirmed this vulnerability and released software updates.
The following products are affected by this vulnerability:
Oracle WebLogic Server 11gR1 releases (10.3.1 and 10.3.2)
Oracle WebLogic Server 10gR3 release (10.3.0)
Oracle WebLogic Server 10.0 through MP2
Oracle WebLogic Server 9.0, 9.1, and 9.2 through MP3
Oracle WebLogic Server 8.1 through SP6
Oracle WebLogic Server 7.0 through SP7
Exploitation of this vulnerability could allow an attacker to execute arbitrary code with the privileges of the affected application. On Windows systems running version 9.0 and later, an exploit could result in a full system compromise. Other platforms such as UNIX and Linux have the application running with reduced privileges, so an exploit would not result in a full system compromise. WebLogic Server 7.0 and 8.1 also runs with reduced privileges on the Windows platform.
Oracle has released a security advisory at the following link: CVE-2010-0073
An unauthenticated, remote attacker could exploit this vulnerability to execute arbitrary code with the privileges of the affected application.
Additional technical information is not available.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to monitor affected systems.
Oracle has released software updates at the following link: Oracle
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.