Lucene search

OracleCVE-2017-10147

HistoryAug 08, 2017 - 3:29 p.m.

CVE-2017-10147

2017-08-0815:29:04

oracle

web.nvd.nist.gov

cve-2017-10147

oracle

weblogic server

fusion middleware

vulnerability

network access

exploitable

dos

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

AI Score

8.1

Confidence

High

EPSS

0.003

Percentile

70.5%

JSON

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.1 and 12.2.1.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.0 Base Score 8.6 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). NOTE: the previous information is from the July 2017 CPU. Oracle has not commented on third-party claims that this issue exists in the migrate functionality in the WebLogic/cluster/singleton/ServerMigrationCoordinator class and allows remote attackers to shutdown the server via a crafted T3 request.

Affected configurations

Nvd

Vulners

Node

oracleweblogic_serverMatch10.3.6.0.0

oracleweblogic_serverMatch12.1.3.0.0

oracleweblogic_serverMatch12.2.1.1.0

oracleweblogic_serverMatch12.2.1.2.0

VendorProductVersionCPE
oracleweblogic_server10.3.6.0.0cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*
oracleweblogic_server12.1.3.0.0cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*
oracleweblogic_server12.2.1.1.0cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:*:*:*:*:*:*:*
oracleweblogic_server12.2.1.2.0cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
oracle	weblogic_server	10.3.6.0.0	cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:::::::*
oracle	weblogic_server	12.1.3.0.0	cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:::::::*
oracle	weblogic_server	12.2.1.1.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.1.0:::::::*
oracle	weblogic_server	12.2.1.2.0	cpe:2.3:a:oracle:weblogic_server:12.2.1.2.0:::::::*

CNA Affected

[
  {
    "product": "WebLogic Server",
    "vendor": "Oracle Corporation",
    "versions": [
      {
        "status": "affected",
        "version": "10.3.6.0"
      },
      {
        "status": "affected",
        "version": "12.1.3.0"
      },
      {
        "status": "affected",
        "version": "12.2.1.1"
      },
      {
        "status": "affected",
        "version": "12.2.1.2"
      }
    ]
  }
]

References

www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

www.securityfocus.com/bid/99651

www.securitytracker.com/id/1038939

erpscan.io/advisories/erpscan-17-041-unauthorized-container-shutdown-servermigrationcoordinator/

github.com/vah13/OracleCVE/tree/master/CVE-2017-10147

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

AI Score

8.1

Confidence

High

EPSS

0.003

Percentile

70.5%

JSON

Related for CVE-2017-10147