The version of Oracle WebLogic Server installed on the remote host is missing a security patch from the January 2024 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities, including:

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Centralized Thirdparty     Jars (NekoHTML)). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the     attacker. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
    (CVE-2023-49093)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle     WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional     products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or     modification access to critical data or all Oracle WebLogic Server accessible data. (CVE-2024-20927)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Easily     exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle     WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or     complete access to all Oracle WebLogic Server accessible data. (CVE-2024-20931)

  Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Oracle WebLogic Server (January 2024 CPU)

critical Nessus Plugin ID 189176

Version 1.2

Version 1.1

Version 1.0

Version 1.2 Jan 22, 2024, 3:14 PM CVSS metrics ("CVSSv3 score" set to 9.8. "CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv3 score source (set to "CVE-2022-46337") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" set to "Exploits are available") Plugin Feed: 202401221514
Version 1.1 Jan 19, 2024, 2:06 PM IAVM reference STIG Severity (set to "I") Plugin Feed: 202401191406
Version 1.0 Jan 18, 2024, 8:01 PM New Plugin Feed: 202401182001