Oracle WebLogic Server Vulnerabilities
**Oracle WebLogic Server Vulnerabilities (CVE-2023-22089 and CVE-2023-22072)**
Two vulnerabilities affecting Oracle WebLogic Server have been identified: CVE-2023-22089 and CVE-2023-22072[1][2][5][6]. Both vulnerabilities affect the Core component of Oracle Fusion Middleware and are present in versions 12.2.1.4.0 and 14.1.1.0.0 of Oracle WebLogic Server[1][2][5][6]. CVE-2023-22072 is also present in version 12.2.1.3.0[2].
CVE-2023-22089 is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via T3 or IIOP to compromise Oracle WebLogic Server. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data[1][6]. The CVSS 3.1 Base Score for this vulnerability is 7.5 (Confidentiality impacts) [1].
CVE-2023-22072 is also an easily exploitable vulnerability that allows an unauthenticated attacker with network access via T3 or IIOP to compromise Oracle WebLogic Server. Successful attacks can result in a takeover of Oracle WebLogic Server[2][6]. The CVSS 3.1 Base Score for this vulnerability is 9.8 (Confidentiality, Integrity, and Availability impacts) [2].
Oracle has released a Critical Patch Update (CPU) in October 2023 that addresses these vulnerabilities[3][6]. It is recommended that users of Oracle WebLogic Server apply the CPU as soon as possible to mitigate the risk of exploitation.
Citations:
[1] https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-14534/Oracle-Weblogic-Server.html
[2] https://nvd.nist.gov/vuln/detail/CVE-2023-22072
[3] https://www.oracle.com/security-alerts/cpuoct2023.html
[4] https://www.oracle.com/security-alerts/cpuoct2023verbose.html
[5] https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-14534/year-2023/Oracle-Weblogic-Server.html
[6] https://www.tenable.com/plugins/nessus/183311