Oracle WebLogic Node Manager Remote Configuration Capability Lets Remote Users Execute Arbitrary Commands
|
|
SecurityTracker Alert ID: 1024569 |
|
SecurityTracker URL: http://securitytracker.com/id/1024569
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Oct 13 2010
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): Oracle WebLogic Node Manager 10.3.3
|
Description:
A vulnerability was reported in Oracle WebLogic Node Manager. A remote user can execute arbitrary commands on the target system.
A remote user can connect to the target Node Manager service and set the configuration file location to an arbitrary UNC path. When the target Node Manager service loads an arbitrary password file specified by UNC path in the configuration file, the remote user can then authenticate to the target service and execute arbitrary commands on the target server.
The original advisory is available at:
http://www.kb.cert.org/vuls/id/924300
Carl Livitt of Stach & Liu, LLC reported this vulnerability via US-CERT.
|
Impact:
A remote user can execute arbitrary commands on the target system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.oracle.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Red Hat Enterprise), Linux (SuSE), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (2003)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 13 Oct 2010 03:39:40 +0000
Subject: Oracle WebLogic Node Manager allows arbitrary configuration via UNC path
|
http://www.kb.cert.org/vuls/id/924300
|
|
