Pierluigi Paganini June 03, 2024

CISA adds Oracle WebLogic Server OS command injection vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Oracle WebLogic Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2017-3506 (CVSS score 7.4), is an OS command injection.

The vulnerability resides in the Oracle WebLogic Server component of Oracle Fusion Middleware. The flaw impacts versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. An unauthenticated attacker with network access can exploit the flaw via HTTP to compromise Oracle WebLogic Server.

Successful exploitation of this vulnerability can lead to unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to all data accessible by the Oracle WebLogic Server.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by June 24, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)