Security Alert For CVE-2010-0073 Released
By Eric P. Maurice on Feb 04, 2010
Hi, this is Eric Maurice again.
Oracle just released a Security Alert with a fix for the vulnerability CVE-2010-0073, which affects Oracle WebLogic Node Manager. This vulnerability was recently publicly disclosed and the organization that discovered this vulnerability did not attempt to contact Oracle prior to releasing detailed technical information about it.
A successful exploitation of this vulnerability may result in a full compromise of the targeted server on Windows. On other platforms (Unix, Linux, etc.), the attacker may gain access to the targeted server with the same privileges as the WebLogic server processes. This kind of vulnerability further highlights the need to use "least privilege" as much as possible on operating systems for running sensitive processes and applications. Additionally, note that many organizations have firewall policies preventing connection to the Node Manager administrative port by external users, thus preventing the exploitation of the vulnerability by anonymous Internet users.
Oracle strongly recommends that WebLogic customers apply this fix as soon as possible, and review their network access policies to possibly further restrict TCP/IP access to the WebLogic Node Manager to very few trusted staff.
For more information:
- Oracle's security vulnerability fixing policies (including Oracle's policies when working with external security researchers) are available on http://www.oracle.com/technology/deploy/security/securityfixlifecycle.html
- The Critical Patch Updates and Security Alerts page is located on http://www.oracle.com/technology/deploy/security/alerts.htm
- Information on how to subscribe to Oracle security notifications are posted on: http://www.oracle.com/technology/deploy/security/securityemail.html