The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the CPUApr2020 advisory.

  - A remote code execution vulnerability exists in the Log4j SocketServer class due to unsafe deserialization of     untrusted data. An unauthenticated, remote attacker can exploit this to remotely execute arbitrary code when     combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j     versions up to 1.2 up to 1.2.17. (CVE-2019-17571)

  - An information disclosure vulnerability exists in the Console component. An unauthenticated, remote attacker can     exploit this to gain unauthorized read access to a subset of Oracle WebLogic Server accessible data. (CVE-2020-2766)

  - A vulnerability in the WLS Web Services component exists. An authenticated, remote attacker can exploit this via T3     to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle     WebLogic Server. (CVE-2020-2798)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle WebLogic Server Multiple Vulnerabilities (Apr 2020 CPU)

critical Nessus Plugin ID 135680

Version 1.10