CVE-2017-3506 vulnerability in Oracle Products
Published on April 24, 2017
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as well as unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
Known Exploited Vulnerability
This Oracle WebLogic Server OS Command Injection Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.
The following remediation steps are recommended / required by June 24, 2024: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2017-3506 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Products Associated with CVE-2017-3506
You can be notified by stack.watch whenever vulnerabilities like CVE-2017-3506 are published in these products:
What versions are vulnerable to CVE-2017-3506?
- Oracle Weblogic Server Version 12.2.1.0.0
- Oracle Weblogic Server Version 12.1.3.0.0
- Oracle Weblogic Server Version 12.2.1.2.0
- Oracle Weblogic Server Version 10.3.6.0.0
- Oracle Weblogic Server Version 12.2.1.1.0