Longofo

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Samples component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized update, insert, or delete access to some of Oracle WebLogic Server's accessible data, as well as unauthorized read access to a subset of the server's accessible data. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 12.2.1.4.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Samples component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks can result in unauthorized update, insert, or delete access to some of the server's accessible data, as well as unauthorized read access to a subset of the server's accessible data. **Recommendations** For versions 12.2.1.4.0 and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Coherence versions 12.1.3.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle Coherence, allowing an unauthenticated attacker with network access via T3 or IIOP protocols to compromise Oracle Coherence. Successful attacks can result in the takeover of Oracle Coherence. The vulnerability is difficult to exploit. **Recommendations** For versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to the Web Services component of Oracle WebLogic Server, which can be exploited by an unauthenticated attacker with network access via T3 or IIOP protocols. This can lead to a denial of service (DOS) condition, causing the server to hang or crash repeatedly. The vulnerability is due to incorrect resource cleanup or release. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, consider restricting access to the T3 protocol to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling the Web Services component until a patch is available. Avoid using the T3 or IIOP protocols in the affected Oracle WebLogic Server versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Essbase Analytic Provider Services versions 11.1.2.4 through 21.2 **Description** The issue is related to errors in processing input data in the web component of Essbase Analytic Provider Services. It can be exploited by a remote attacker to cause a denial of service. Successful attacks can result in the ability to cause the service to hang or crash repeatedly, leading to a complete denial of service. **Recommendations** For versions 11.1.2.4 and 21.2, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Business Intelligence Enterprise Edition version 12.2.1.4.0 **Description** The issue exists due to insufficient input validation in the Analytics Web General component of Oracle Business Intelligence Enterprise Edition. This allows a remote attacker to gain full control over the application via the HTTP protocol. Successful attacks can result in the takeover of Oracle Business Intelligence Enterprise Edition. **Recommendations** For version 12.2.1.4.0, consider disabling the BIRemotingServlet to prevent deserialization of untrusted data until a patch is available. Restrict access to the Analytics Web General component to minimize the risk of exploitation. Avoid using the HTTP protocol to access the vulnerable component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via HTTP to compromise the server. Successful attacks can result in unauthorized read access to a subset of Oracle WebLogic Server accessible data. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Coherence versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle Coherence, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized access to critical data or complete access to all accessible data. **Recommendations** For versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 **Description** The issue exists due to insufficient input validation in the Web Services component of Oracle WebLogic Server, allowing a remote attacker to gain unauthorized access to the device via T3 and IIOP protocols. Successful attacks can result in unauthorized access to critical data or complete access to all accessible data on the Oracle WebLogic Server. **Recommendations** For versions 10.3.6.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the T3 and IIOP protocols to minimize the risk of exploitation. Avoid using untrusted data in the deserialization process of the T3 protocol until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Core component of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via T3 or IIOP to compromise the server. Successful attacks can result in unauthorized access to update, insert, or delete data, as well as cause a partial denial of service. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBM WebSphere Application Server versions 7.0 through 9.0 Description: The issue allows a remote attacker to perform an XML External Entity Injection (XXE) attack when the software processes XML data. This could lead to the exposure of sensitive information or the consumption of memory resources. Recommendations: For IBM WebSphere Application Server versions 7.0 through 9.0, update to a version that includes a fix for this issue to prevent XXE attacks. As a temporary workaround, consider restricting the processing of external XML entities to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: IBM WebSphere Application Server versions 8.0 through 9.0 Description: The issue allows a remote attacker to perform an XML External Entity Injection (XXE) attack when the software processes XML data. This could lead to the exposure of sensitive information or the consumption of memory resources. Recommendations: For versions 8.0 through 9.0, update to a version that includes a fix for this issue to prevent XXE attacks. As a temporary workaround, consider restricting the processing of external XML entities to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: IBM WebSphere Application Server versions 7.0 through 9.0 Description: The issue is related to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to expose sensitive information or consume memory resources. Recommendations: For versions 7.0 through 9.0, update to a version that includes a fix for the XML External Entity Injection vulnerability. As a temporary workaround, consider restricting the processing of XML data from untrusted sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** IBM WebSphere Application Server versions 7.0 through 9.0 **Description** The issue is related to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this to expose sensitive information or consume memory resources. **Recommendations** For versions 7.0 through 9.0, update to a version that includes a fix for the XML External Entity Injection (XXE) vulnerability. As a temporary workaround, consider restricting the processing of external XML entities to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient access control in the Console component of Oracle WebLogic Server, allowing a remote attacker to gain full control over the application via the HTTP protocol. This can result in the takeover of Oracle WebLogic Server. The vulnerability is easily exploitable and can be used by a high-privileged attacker with network access. **Recommendations** For Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0, update to a version that includes the fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 14.1.1.0.0 **Description** The issue is related to insufficient input validation in the Oracle WebLogic Server, allowing a remote attacker to execute arbitrary code via the IIOP protocol. This can result in the takeover of the Oracle WebLogic Server. The vulnerability can be easily exploited by an unauthenticated attacker with network access. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0, consider disabling the IIOP protocol until a patch is available to prevent exploitation. As a temporary workaround, restrict access to the Core component of the Oracle WebLogic Server to minimize the risk of exploitation. Avoid using the IIOP protocol in the affected Oracle WebLogic Server versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to insufficient input validation in the User Interface component of Oracle Advanced Outbound Telephony. This allows a low-privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony, potentially leading to unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data. Successful attacks can also result in unauthorized update, insert, or delete access to some of Oracle Advanced Outbound Telephony accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the User Interface component of Oracle Advanced Outbound Telephony to minimize the risk of exploitation. As a temporary workaround, limit the use of HTTP requests to the affected component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient access control in the Web Services component of Oracle WebLogic Server, allowing a remote attacker to gain full control over the application using IIOP and T3 network protocols. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For version 10.3.6.0.0, update to a version that includes the fix for this issue. For version 12.1.3.0.0, update to a version that includes the fix for this issue. For version 12.2.1.3.0, update to a version that includes the fix for this issue. For version 12.2.1.4.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the Web Services component until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Oracle WebLogic Server versions 10.3.6.0.0 through 12.2.1.4.0 **Description** The issue is related to insufficient access control in the WLS Web Services component of Oracle WebLogic Server, allowing a high-privileged attacker with network access via IIOP, T3 protocols to compromise the server. Successful attacks can result in the takeover of Oracle WebLogic Server. **Recommendations** For versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0, consider restricting access to the WLS Web Services component until a patch is available. As a temporary workaround, consider disabling the use of IIOP and T3 protocols to minimize the risk of exploitation. Restrict network access to the Oracle WebLogic Server to minimize the risk of remote attacks.

**Name of the Vulnerable Software and Affected Versions** Oracle Coherence versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 **Description** The issue is related to insufficient access controls in the Caching, CacheStore, and Invocation components of Oracle Coherence. This can be exploited by a remote attacker to gain unauthorized access to protected information via the HTTP protocol. Successful attacks may result in unauthorized read access to a subset of Oracle Coherence accessible data. **Recommendations** For version 3.7.1.0, update to a version that includes the necessary security fixes. For version 12.1.3.0.0, apply the recommended security patches to resolve the issue. For version 12.2.1.3.0, consider restricting access to the Caching, CacheStore, and Invocation components until a patch is available. For version 12.2.1.4.0, disable the vulnerable components temporarily as a workaround until an official fix is released.