Vulnerability Name: CVE-2007-4616 (CCN-36320) Assigned: 2007-08-28 Published: 2007-08-28 Updated: 2018-10-26 Summary: The SSL server implementation in BEA WebLogic Server 7.0 Gold through SP7, 8.1 Gold through SP6, 9.0, 9.1, 9.2 Gold through MP1, and 10.0 sometimes selects the null cipher when no other cipher is compatible between the server and client, which might allow remote attackers to intercept communications. CVSS v3 Severity: 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N 5.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N 3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:H/RL:OF/RC:C Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-Other Vulnerability Consequences: Obtain Information References: Source: MITRECVE-2007-4616 BEA07-176.00 BEA WebLogic Multiple Vulnerabilities and Security Issues 26539 WebLogic SSL Server May Use Null Encryption 1018620 25472 BEA WebLogic Server Null Cipher Suite Multiple Information Disclosure Vulnerabilities ADV-2007-3008 weblogic-nullcipher-information-disclosure(36320) weblogic-nullcipher-information-disclosure(36320) Server may select a cipher suite that uses a null cipher for SSL communication with SSL clients Vulnerable Configuration: Configuration 1 :cpe:/a:bea:weblogic_server:7.0:*:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:7.0:sp1:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:7.0:sp2:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:7.0:sp3:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:7.0:sp4:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:7.0:sp5:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:7.0:sp6:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:7.0:sp7:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:8.1:*:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:8.1:sp1:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:8.1:sp2:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:8.1:sp3:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:8.1:sp4:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:8.1:sp5:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:8.1:sp6:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:9.0:*:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:9.1:*:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:9.2:*:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:9.2:mp1:*:*:*:*:*:* OR cpe:/a:bea:weblogic_server:10.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:oracle:weblogic_server:9.0:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:9.1:*:*:*:*:*:*:* OR cpe:/a:oracle:weblogic_server:9.2.0.0.0:*:*:*:*:*:*:* BACK
bea weblogic server 7.0
bea weblogic server 7.0 sp1
bea weblogic server 7.0 sp2
bea weblogic server 7.0 sp3
bea weblogic server 7.0 sp4
bea weblogic server 7.0 sp5
bea weblogic server 7.0 sp6
bea weblogic server 7.0 sp7
bea weblogic server 8.1
bea weblogic server 8.1 sp1
bea weblogic server 8.1 sp2
bea weblogic server 8.1 sp3
bea weblogic server 8.1 sp4
bea weblogic server 8.1 sp5
bea weblogic server 8.1 sp6
bea weblogic server 9.0
bea weblogic server 9.1
bea weblogic server 9.2
bea weblogic server 9.2 mp1
bea weblogic server 10.0
oracle weblogic server 9.0
oracle weblogic server 9.1
oracle weblogic server 9.2.0.0.0
Denotes that component is vulnerable