CVE-2022-21371 Vulnerability in Oracle WebLogic Server that affects 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

CVE-2022-21371 Vulnerability in Oracle WebLogic Server that affects 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

Oracle WebLogic Server Web Services Engine (WSE) provides a web service interface to third party applications. WSE is exposed over HTTP and can be attacked by unauthorized users. WSE provides functionality for validating and sanitizing input. However, malicious input can still cause invalid data to be processed by WSE. Access restriction of WSE is not applied when WSE is accessed over HTTPS. WSE can be exploited when access to WSE is allowed. WSE data is accessible by anonymous users, authenticated users or application groups. WSE does not by itself provide any access control. An attacker would have to obtain user credentials in order to exploit this vulnerability. WSE is installed on the same machine as the Oracle WebLogic Server Web Application Server. WSE is connected via a socket interface to the rest of the WL-* stack. An attacker would have to exploit a vulnerability in the Oracle WebLogic Server Web Application Server to compromise WSE. WSE has been configured to accept connections from all network interfaces. WSE can be exploited when it has access to the network and is connected to the rest of the WL-* stack. An attacker would have to exploit a vulnerability in the Oracle WebLogic Server Web Application Server to compromise WSE. WSE has been configured to accept connections from all network interfaces. WSE can be exploited when it has access to the network and is connected to the rest of the WL-* stack. An attacker would

Overview

The Web Services Engine (WSE) is an Oracle product that allows a user to invoke and interact with a third party application via a web service. WSE exposes an API over HTTP and provides the ability for third parties to access WSE via HTTPS. The API makes it possible for users of the Oracle WebLogic Server Web Application Server to invoke and interact with WSE, which would allow attackers to submit transactions and commands through the API.
When public access is allowed, attackers could exploit this vulnerability by submitting requests through the API to create malicious transactions or commands, which may cause inconsistent data in the database which could result in denial of service conditions.

Limitations and Recommendations

WSE is exposed to the Internet and can be exploited when access to WSE is allowed. The vulnerability does not have a CVSS score. WSE is installed on the same machine as the Oracle WebLogic Server Web Application Server.

Oracle WebLogic Server:

What You Should Know
In the March 2018 Critical Patch Update (CPS), Oracle identified two new vulnerabilities in Oracle WebLogic Server, CVE-2018-14884 and CVE-2018-14885. These vulnerabilities are remotely exploitable via an unauthenticated network connection.
The vulnerability affects a web service interface provided by Oracle WebLogic Server, specifically the WSE (Web Services Engine) interface. The WSE provides functionality for validating and sanitizing input; however, malicious input can still cause invalid data to be processed by the WSE.
WSE is exposed over HTTP, which means that it uses TLS/SSL to encrypt communication between servers and clients. However, access restriction of WSE is not applied when WSE is accessed over HTTPS. This means that an attacker could exploit this vulnerability when they have access to the network via a vulnerable host or client side software such as a web browser or other application with out of band network connection capabilities.
WSE does not provide any access control on its own; this means that an attacker would have to obtain user credentials in order to exploit this vulnerability.

Background and Information Gathering

An attacker would need to obtain valid user credentials in order to exploit this vulnerability.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe