Vulnerability CVE-2010-0073 - CERT Civis.Net

Vulnerability Name:

CVE-2010-0073 (CCN-55845)

Assigned:

2009-12-16

Published:

2010-01-23

Updated:

2021-04-21

Summary:

Unspecified vulnerability in the WebLogic Server in Oracle WebLogic Server 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, and 10.3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

CVSS v3 Severity:

9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
8.7 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
6.6 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2010-0073

Source: CCN
Type: Intevydis blog
Oracle Weblogic 10.3.2 Node Manager fun

Source: CCN
Type: SA38345
Oracle WebLogic Server Node Manager Security Bypass

Source: CCN
Type: SA38473
Oracle WebLogic Server Node Manager Unspecified Vulnerability

Source: CCN
Type: SA39439
Oracle Fusion Middleware Products Multiple Vulnerabilities

Source: SECUNIA
Type: Third Party Advisory
39439

Source: CCN
Type: Oracle Security Alert for CVE-2010-0073
Oracle Security Alert for CVE-2010-0073

Source: CONFIRM
Type: Broken Link, Patch, Vendor Advisory
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html

Source: CCN
Type: Oracle Web site
Oracle WebLogic Server

Source: CCN
Type: OSVDB ID: 62033
Oracle WebLogic Server Node Manager (beasvc.exe) Access Restriction Bypass

Source: CCN
Type: BID-37926
Oracle WebLogic Server Node Manager 'beasvc.exe' Remote Command Execution Vulnerability

Source: CERT
Type: Third Party Advisory, US Government Resource
TA10-103B

Source: VUPEN
Type: Third Party Advisory
ADV-2010-0216

Source: XF
Type: UNKNOWN
weblogic-node-manager-command-execution(55845)

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:weblogic_server:7.0:sp7:*:*:*:-:*:*

OR cpe:/a:oracle:weblogic_server:8.1:sp6:*:*:*:-:*:*

OR cpe:/a:oracle:weblogic_server:9.0:-:*:*:*:-:*:*

OR cpe:/a:oracle:weblogic_server:9.1:-:*:*:*:-:*:*

OR cpe:/a:oracle:weblogic_server:9.2:maintenance_pack3:*:*:*:-:*:*

OR cpe:/a:oracle:weblogic_server:10.0:maintenance_pack2:*:*:*:-:*:*

OR cpe:/a:oracle:weblogic_server:10.3.2.0.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:weblogic_server:9.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:9.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:9.2.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:10.3.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:10.3.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:10.3.1.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable