SB2021012048 - Multiple vulnerabilities in Oracle WebLogic Server

Security Bulletin ID SB2021012048

Severity

High

Patch available

YES

Number of vulnerabilities 14

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2021-1996)

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Web Services component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.

2) Improper input validation (CVE-ID: CVE-2021-2033)

The vulnerability allows a remote authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Core Components component in Oracle WebLogic Server. A remote authenticated user can exploit this vulnerability to perform service disruption.

3) Uncontrolled memory allocation (CVE-ID: CVE-2018-10237)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to unbounded memory allocation. A remote attacker can cause the service to crash and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

4) Cross-site scripting (CVE-ID: CVE-2020-11022)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Improper input validation (CVE-ID: CVE-2021-1995)

The vulnerability allows a remote authenticated user to manipulate data.

The vulnerability exists due to improper input validation within the Web Services component in Oracle WebLogic Server. A remote authenticated user can exploit this vulnerability to manipulate data.

6) Improper input validation (CVE-ID: CVE-2020-5421)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Core (Spring Framework) component in Oracle Communications Session Report Manager. A remote authenticated user can exploit this vulnerability to read and manipulate data.

7) Improper input validation (CVE-ID: CVE-2021-2109)

The vulnerability allows a remote privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Console component in Oracle WebLogic Server. A remote privileged user can exploit this vulnerability to execute arbitrary code.

8) Protection mechanism failure (CVE-ID: CVE-2019-10086)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.

9) Improper input validation (CVE-ID: CVE-2021-2075)