| Vulnerability Name: | CVE-2009-1016 (CCN-50051) | ||||||||
| Assigned: | 2009-04-14 | ||||||||
| Published: | 2009-04-14 | ||||||||
| Updated: | 2017-08-17 | ||||||||
| Summary: | Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote authenticated users to affect confidentiality, integrity, and availability, related to IIS. Note: the previous information was obtained from the April 2009 CPU. Oracle has not commented on claims from a reliable researcher that this is a stack-based buffer overflow involving an unspecified Server Plug-in and a crafted SSL certificate. | ||||||||
| CVSS v3 Severity: | 8.0 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 8.5 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C) 6.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
6.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-noinfo | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: MITRE Type: CNA CVE-2009-1016 Source: MISC Type: UNKNOWN http://secunia.com/secunia_research/2009-23/ Source: CCN Type: SECTRACK ID: 1022059 Oracle WebLogic Server and Portal Bugs Let Remote Users Access and Modify Data and Cause Denial of Service Conditions Source: CCN Type: Oracle Critical Patch Update Advisory - April 2009 Oracle Critical Patch Update Advisory - April 2009 Source: CONFIRM Type: UNKNOWN http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html Source: CCN Type: Oracle SECURITY ADVISORY (CVE-2009-1016) Security vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers Source: BID Type: UNKNOWN 34461 Source: CCN Type: BID-34461 Oracle April 2009 Critical Patch Update Multiple Vulnerabilities Source: SECTRACK Type: UNKNOWN 1022059 Source: CERT Type: US Government Resource TA09-105A Source: XF Type: UNKNOWN oracle-weblogic-plugins-system-integrity(50051) Source: XF Type: UNKNOWN oracle-bea-ssl-bo(64934) | ||||||||
| Vulnerable Configuration: | Configuration 1: Denotes that component is vulnerable | ||||||||
| Vulnerability Name: | CVE-2009-1016 (CCN-64934) | ||||||||
| Assigned: | 2009-04-15 | ||||||||
| Published: | 2009-04-15 | ||||||||
| Updated: | 2009-04-15 | ||||||||
| Summary: | Oracle BEA WebLogic Server Plug-ins are vulnerable to a stack-based buffer overflow, caused by improper bounds checking when parsing SSL certificates. By sending a specially-crafted SSL certificate, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. | ||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||
| CVSS v2 Severity: | 8.5 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C) 7.0 High (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C)
6.2 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)
| ||||||||
| Vulnerability Consequences: | Gain Access | ||||||||
| References: | Source: MITRE Type: CNA CVE-2009-1016 Source: CCN Type: SA34074 Oracle BEA WebLogic Products Multiple Vulnerabilities Source: CCN Type: Secunia Research 15/04/2009 Oracle BEA WebLogic Server Plug-ins Certificate Buffer Overflow Source: CCN Type: SECTRACK ID: 1022059 Oracle WebLogic Server and Portal Bugs Let Remote Users Access and Modify Data and Cause Denial of Service Conditions Source: CCN Type: Oracle Critical Patch Update Advisory - April 2009 Oracle Critical Patch Update Advisory - April 2009 Source: CCN Type: BID-34461 Oracle April 2009 Critical Patch Update Multiple Vulnerabilities Source: XF Type: UNKNOWN oracle-bea-ssl-bo(64934) | ||||||||
| BACK | |||||||||