Application Server Software Vulnerabilities

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

Vendor

Identifying all affected vendors is a good starting point for an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Product

IBM WebSphere Application Server400
Oracle WebLogic Server272
Apache Tomcat195
Oracle Application Server125
BEA WebLogic Server122

Grouping vulnerabilities by products helps to get an overview. This makes it possible to determine an homogeneous landscape or the most important hotspots in heterogeneous landscapes.

Remediation

Official Fix1571
Temporary Fix1
Workaround23
Unavailable9
Not Defined701

Vendors and researchers are eager to find countermeasures to mitigate security vulnerabilities. These can be distinguished between multiple forms and levels of remediation which influence risks differently.

Exploitability

High105
Functional1
Proof-of-Concept535
Unproven142
Not Defined1522

Researcher and attacker which are looking for security vulnerabilities try to exploit them for academic purposes or personal gain. The level and quality of exploitability can be distinguished to determine simplicity and strength of attacks.

Access Vector

Not Defined0
Physical1
Local224
Adjacent52
Network2028

The approach a vulnerability it becomes important to use the expected access vector. This is typically via the network, local, or physically even.

Authentication

Not Defined0
High39
Low522
None1744

To exploit a vulnerability a certail level of authentication might be required. Vulnerabilities without such a requirement are much more popular.

User Interaction

Not Defined0
Required503
None1802

Some attack scenarios require some user interaction by a victim. This is typical for phishing, social engineering and cross site scripting attacks.

C3BM Index

Our unique C3BM Index (CVSSv3 Base Meta Index) cumulates the CVSSv3 Meta Base Scores of all entries over time. Comparing this index to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

CVSSv3 Base

≤10
≤20
≤311
≤4192
≤5364
≤6676
≤7373
≤8375
≤9137
≤10177

The Common Vulnerability Scoring System (CVSS) is an industry standard to define the characteristics and impacts of security vulnerabilities. The base score represents the intrinsic aspects that are constant over time and across user environments. Our unique meta score merges all available scores from different sources to aggregate to the most reliable result.

CVSSv3 Temp

≤10
≤20
≤324
≤4236
≤5499
≤6660
≤7408
≤8225
≤9124
≤10129

The Common Vulnerability Scoring System (CVSS) uses temp scores to reflect the characteristics of a vulnerability that may change over time but not across user environments. This includes reporting confidence, exploitability and remediation levels. We do also provide our unique meta score for temp scores, even though other sources rarely publish them.

VulDB

≤10
≤20
≤313
≤4245
≤5411
≤6642
≤7309
≤8405
≤997
≤10183

The moderation team is always defining the base vector and base score for an entry. These and all other available scores are used to generate the meta score.

NVD

≤10
≤20
≤35
≤420
≤553
≤6147
≤7164
≤8160
≤967
≤10113

The National Vulnerability Database (NVD) is also defining CVSS vectors and scores. These are usually not complete and might differ from VulDB scores.

CNA

≤10
≤20
≤30
≤44
≤55
≤65
≤719
≤812
≤92
≤104

A CVE Numbering Authority (CNA) is responsible for assigning new CVE entries. They might also include a CVSS score. These are usually not complete and might differ from VulDB scores.

Vendor

≤10
≤20
≤30
≤42
≤518
≤622
≤729
≤832
≤918
≤1043

Some vendors are willing to publish their own CVSS vectors and scores for vulnerabilities in their products. The coverage varies from vendor to vendor.

Research

≤10
≤20
≤30
≤40
≤50
≤60
≤70
≤80
≤90
≤100

There are sometimes also security researcher which provide their own CVSS vectors and scores for vulnerabilities they have found and published.

Exploit 0-day

<1k31
<2k63
<5k138
<10k576
<25k994
<50k379
<100k89
≥100k35

The moderation team is working with the threat intelligence team to determine prices for exploits. Our unique algorithm is used to identify the 0-day prices for an exploit, before it got distributed or became public. Calculated prices are aligned to prices disclosed by vulnerability broker and compared to prices we see on exploit markets.

Exploit Today

<1k1470
<2k118
<5k296
<10k205
<25k201
<50k15
<100k0
≥100k0

The 0-day prices do not consider time-relevant factors. The today price does reflect price impacts like disclosure of vulnerability details, alternative exploits, availability of countermeasures. These dynamic aspects might decrease the exploit prices over time. Under certain circumstances this happens very fast.

Exploit Market Volume

Our unique calculation of exploit prices makes it possible to forecast the expected exploit market volume. The calculated prices for all possible 0-day expoits are cumulated for this task. Comparing the volume to the amount of disclosed vulnerabilities helps to pinpoint the most important events.

🔴 CTI Activities

Our unique Cyber Threat Intelligence aims to determine the ongoing research of actors to anticipiate their acitivities. Observing exploit markets on the Darknet, discussions of vulnerabilities on mailinglists, and exchanges on social media makes it possible to identify planned attacks. Monitored actors and activities are classified whether they are offensive or defensive. They are also weighted as some actors are well-known for certain products and technologies. And some of their disclosures might contain more or less details about technical aspects and personal context. The world map highlights active actors in real-time.

Affected Products (249): Apache ActiveMQ, Apache ActiveMQ Artemis, Apache ActiveMQ Client, Apache CXF, Apache CXF Fediz, Apache Tomcat, Apache Tomcat Connectors, Apache Tomcat JK ISAPI Connector, Apache Tomcat JK Web Server Connector, Apache Tomcat Native, Apache Tomcat Native Connector, Apache Tomcat Security Manager, Apache Tomcat Servlet Engine, Avaya Aura Application Server 5300, Avaya IP Office Application Server, BEA BEA WebLogic Portal, BEA WebLogic, BEA Weblogic, BEA Weblogic Integration, BEA WebLogic Mobility Server, BEA WebLogic Portal, BEA WebLogic Server, bea WebLogic Server, BEA WebLogic Workshop, BEA Weblogic Workshop, BEA Systems WebLogic, BEA Systems WebLogic Server, Bradford CampusManager Network Control Application Server, Cisco BroadWorks Application Server, Deploy WebLogic Plugin, Digital Creations Zope, Fujitsu Interstage Application Server, Fujitsu Interstage Application Server Plus, Fujitsu Interstage Application Server Standard J, GlassFish Enterprise Server, GNU WildFly, Hitachi Application Server Help, Hitachi Cosminexus Application Server, Hitachi Ucosminexus Application Server Standard, HP Application Server, Hyland OnBase, Hyland Onbase Application Server, IBM App Connect, IBM Content Template Catalog, IBM Integration Bus, IBM Liberty, IBM Repository, IBM WebSphere, IBM WebSphere Application Liberty, IBM WebSphere Application Server, ibm WebSphere Application Server, IBM WebSphere Application Server Liberty, IBM WebSphere Application Server ND, IBM WebSphere Business Events, IBM WebSphere Business Modeler, IBM Websphere Caching Proxy Server, IBM WebSphere Cast Iron, IBM WebSphere Cast Iron Cloud Integration, IBM WebSphere Commerce, IBM WebSphere Commerce Enterprise, IBM WebSphere Commerce Suite, IBM Websphere Commerce Suite, IBM WebSphere Dashboard Framework, IBM WebSphere DataPower, IBM WebSphere DataPower Appliance, IBM Websphere Datapower Datapower Integration Appliance Xi50, IBM Websphere Datapower Soa Appliance, IBM WebSphere DataPower XC10, IBM WebSphere DataPower XC10 appliance, IBM Websphere Datapower Xc10 Appliance, IBM WebSphere DataPower XML Security Gateway XS40, IBM WebSphere Edge Server, IBM WebSphere eXtreme Scale, IBM WebSphere eXtreme Scale Client, IBM WebSphere Host On-Demand, IBM WebSphere ILOG JRules, IBM WebSphere ILOG Rule Team Server, IBM WebSphere Message, IBM WebSphere Message Broker, IBM WebSphere Message Broker SOAP FLOWS, IBM WebSphere Message Broker Toolkit, IBM WebSphere MQ, IBM WebSphere MQIPT, IBM Websphere MQ Explorer, IBM WebSphere MQ Internet Pass-Thru, IBM Websphere Mq Internet Pass Thru, IBM WebSphere MQ Light, IBM WebSphere Partner Gateway, IBM WebSphere Plugin, IBM WebSphere Portal, IBM WebSphere Process Server, IBM WebSphere Real Time, IBM WebSphere Service Registry, IBM WebSphere Transformation Extender, IBM WebSphere Virtual Enterprise, Invensys Wonderware Application Server, JBoss, JBOSS, jboss-remoting, JBoss AeroGear, JBoss BRMS, JBoss Enterprise Application Platform, JBoss Expressions, JBoss IronJacamar, JBoss jbossas, JBoss JBoss Application Server, JBoss JBoss Enterprise, JBoss jBPM, JBoss KeyCloak, JBoss Management Console, JBoss RichFaces, jboss seam, JBoss Web Console, JBossWeb Bayeux, JBoss AS 7 Community Release, JBoss KeyCloak, JBoss Operations Network, Jenkins Deploy WebLogic Plugin, Jens Vagelpohl zope-ldapuserfolder, Macromedia Application Server, Metasys Data Server, Metasys Extended Application, Metasys LonWorks Control Server, Metasys Network Automation Engine, Metasys Network Integration Engine, Metasys Open Application Server, Metasys Open Data Server, Metasys Smoke Control Network Automation Engine, Metasys System Configuration Tool, Mozilla Durian Web Application Server, MultiXTpm Application Server, Netweblogic Events Manager, Netweblogic Login With Ajax, Oracle 9i Application Server, Oracle Application Server, Oracle Application Server 9i, Oracle Application Server 10g, Oracle Application Server Discussion Forum Portlet, Oracle Application Server Portal, Oracle Application Server Web Cache, Oracle BEA Product Suite, Oracle Bea Product Suite, Oracle BEA WebLogic, Oracle BEA WebLogic Portal, Oracle Converged Application Server, Oracle Converged Application Server - Service Controller, Oracle Database Server, Oracle GlassFish Communications Server, Oracle GlassFish Enterprise Server, Oracle GlassFish Open Source Edition, Oracle GlassFish Server, Oracle GlassFish Server Open Source Edition, Oracle Glassfish Web Space Server10.0, Oracle Internet Application Server, Oracle Java System Application Server, Oracle Oracle9i Application Server, Oracle Oracle Application Server, Oracle Retail Predictive Application Server, Oracle WebLogic, Oracle WebLogic Portal, Oracle WebLogic Server, Oracle Weblogic Server Component, Oracle Weblogic Server Proxy Plug-in, Oracle WebLogic Server Proxy Plug-In, Oracle WebLogic Workshop, Orion Application Server, Orion%02 Application Server, Parallels Remote Application Server, Plone, Red Hat Application Platforms, Red Hat JBoss, Red Hat Jboss, Red Hat jboss-client, Red Hat jboss-remoting, Red Hat JBossWeb, Red Hat JBoss A-MQ, Red Hat JBoss Application Server, Red Hat JBoss BPMS, Red Hat JBoss BPM Suite, Red Hat JBoss BRMS, Red Hat JBoss Core Services httpd, Red Hat JBoss Data Grid, Red Hat JBoss EAP, Red Hat JBoss Enterprise, Red Hat JBoss Enterprise Application Platform, Red Hat JBoss Enterprise BRMS Platform, Red Hat JBoss Enterprise Portal Platform, Red Hat Jboss Enterprise Soa Platform, Red Hat JBoss Enterprise SOA Platform, Red Hat Jboss Enterprise Web, Red Hat JBoss Fuse, Red Hat Jboss Fuse Esb Enterprise, Red Hat JBoss Operations Network, Red Hat JBoss Portal, Red Hat JBoss Remoting, Red Hat JBoss Web Framework Kit, Red Hat JBoss WildFly Application Server, Red Hat WildFly, Red Hat Wildfly Elytron, SAP ABAP Application Server, SAP ABAP Platform, SAP Application Server ABAP, SAP Application Server Java, SAP ENGINEAPI, SAP HANA Database, SAP Internet Graphics Server, SAP Netweaver ABAP Application Server, SAP NetWeaver Application Server, SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server for ABAP, SAP NetWeaver Application Server for Java, SAP NetWeaver Application Server Java, SAP NetWeaver Application Server Java Web Container, SAP NetWeaver for Java Application Server, SAP Netweaver Java Application Server, SAP SAP-JEECOR, SAP SAP Content Server, SAP Web Application Server, SAP Web Dispatcher, SAP Web Dynpro for ABAP, SAP Web Dynpro for BSP, Seagull J Walk Application Server, Siemens SPPA-T3000 Application Server, Sun Application Server, Sun Java System Application Server, Sun Java System Web, Sun One Application Server, Sun ONE Application Server, Tmax Soft JEUS Web Application Server, Weblogicnet, WebLogic Server, Wildfly, WildFly, wildfly-core, WildFly Elytron, Wildfly Elytron, WildFly OpenSSL, Wildfly Security Manager, WildFly Deployer Plugin, Wildfly Elytron, WiTango Application Server, Xerces JBoss, Zope, Zope AccessControl, Zope Products.CMFCore, Zope Products.PluggableAuthService, Zope Web Application Server, Zope ZODB, Zulip Chat Application Server

PublishedBaseTempVulnerabilityProductExpRemCTICVE
07/19/20225.35.2Oracle WebLogic Server Web Services denial of serviceWebLogic ServerNot DefinedOfficial Fix0.49CVE-2022-21564
07/19/20225.35.2Oracle WebLogic Server Core denial of serviceWebLogic ServerNot DefinedOfficial Fix0.39CVE-2022-21560
07/19/20225.75.6Oracle WebLogic Server Web Container unknown vulnerabilityWebLogic ServerNot DefinedOfficial Fix0.49CVE-2022-21557
07/19/20226.15.9Oracle WebLogic Server Centralized Third Party Jars cross site scriptingWebLogic ServerNot DefinedOfficial Fix0.45CVE-2022-29577
07/19/20226.56.3Oracle WebLogic Server Core unknown vulnerabilityWebLogic ServerNot DefinedOfficial Fix0.39CVE-2022-21548
07/19/20227.57.3Oracle WebLogic Server Centralized Thirdparty Jars information disclosureWebLogic ServerNot DefinedOfficial Fix1.82CVE-2021-40690
07/19/20227.57.3Oracle WebLogic Server Centralized Third Party Jars denial of serviceWebLogic ServerNot DefinedOfficial Fix2.10CVE-2020-28491
07/19/20227.57.3Oracle WebLogic Server Centralized Third Party Jars denial of serviceWebLogic ServerNot DefinedOfficial Fix2.05CVE-2022-24839
07/19/20227.57.3Oracle WebLogic Server Centralized Third Party Jars denial of serviceWebLogic ServerNot DefinedOfficial Fix0.44CVE-2020-36518
07/19/20228.28.0Oracle WebLogic Server Centralized Third Party Jars input validationWebLogic ServerNot DefinedOfficial Fix0.58CVE-2020-11987
07/19/20228.07.9Oracle WebLogic Server Installer Remote Code ExecutionWebLogic ServerNot DefinedOfficial Fix0.44CVE-2021-2351
07/19/20229.39.2Oracle Weblogic Server Proxy Plug-in SSL Module input validationWeblogic Server Proxy Plug-inNot DefinedOfficial Fix1.82CVE-2020-35169
07/19/20229.18.9Oracle WebLogic Server Centralized Third Party Jars origin validationWebLogic ServerNot DefinedOfficial Fix0.38CVE-2021-26291
07/19/20229.89.6Oracle WebLogic Server Third Party Tools/Samples code injectionWebLogic ServerNot DefinedOfficial Fix1.98CVE-2022-22965
07/19/20229.08.9Oracle WebLogic Server Sample apps prototype pollutionWebLogic ServerNot DefinedOfficial Fix2.16CVE-2021-23450
07/19/20229.08.9Oracle WebLogic Server Centralized Third Party Jars path traversalWebLogic ServerNot DefinedOfficial Fix0.38CVE-2022-23457
07/14/20225.55.4IBM WebSphere Application Server Web UI cross site scriptingWebSphere Application ServerNot DefinedOfficial Fix0.06CVE-2022-22477
07/14/20224.24.2IBM WebSphere Application Server Administrative Console information disclosureWebSphere Application ServerNot DefinedOfficial Fix0.04CVE-2022-22473
07/09/20226.36.2IBM WebSphere Application Server Liberty Request authentication spoofingWebSphere Application Server LibertyNot DefinedOfficial Fix0.03CVE-2022-22476
06/23/20223.53.4Apache Tomcat Form Authentication Example cross site scriptingTomcatNot DefinedOfficial Fix0.05CVE-2022-34305
06/22/20223.53.4Hyland Onbase Application Server/OnBase Connect information disclosureOnbase Application Server/OnBaseNot DefinedOfficial Fix0.02CVE-2022-23342
06/15/20224.13.9SAP NetWeaver Application Server ABAP startservice sapuxuserchk privileges managementNetWeaver Application Server ABAP/Application Server Java/ABAP Platform/HANA DatabaseNot DefinedOfficial Fix0.03CVE-2022-29614
05/25/20223.53.4Red Hat WildFly Configuration file accessWildFlyNot DefinedOfficial Fix0.12CVE-2021-3717
05/21/20225.65.5IBM WebSphere Application Server Ajax Proxy Web Application channel accessibleWebSphere Application ServerNot DefinedOfficial Fix0.00CVE-2022-22365
05/18/20225.04.9IBM WebSphere Application Server Liberty Privilege EscalationWebSphere Application Server LibertyNot DefinedOfficial Fix0.04CVE-2022-22475
05/13/20223.13.0IBM WebSphere Application Server Liberty adminCenter information disclosureWebSphere Application Server LibertyNot DefinedOfficial Fix0.04CVE-2022-22393
05/13/20224.34.1Apache Tomcat WebSocket Message denial of serviceTomcatNot DefinedOfficial Fix0.07CVE-2022-25762
05/12/20225.35.2Apache Tomcat EncryptInterceptor resource consumptionTomcatNot DefinedWorkaround0.00CVE-2022-29885
05/11/20223.53.4SAP NetWeaver Application Server ABAP Theme cross site scriptingNetWeaver Application Server ABAPNot DefinedOfficial Fix0.07CVE-2022-29610
05/11/20225.55.3SAP NetWeaver Application Server for ABAP authorizationNetWeaver Application Server for ABAP/ABAP PlatformNot DefinedOfficial Fix0.00CVE-2022-29611
05/11/20226.36.0Red Hat JBoss Enterprise Application Platform/WildFly authorizationJBoss Enterprise Application Platform/WildFlyNot DefinedOfficial Fix0.05CVE-2022-0866
04/19/20223.33.2Oracle WebLogic Server Third Party Tools information disclosureWebLogic ServerNot DefinedOfficial Fix0.03CVE-2020-8908
04/19/20225.35.2Oracle WebLogic Server Centralized Third Party Jars input validationWebLogic ServerNot DefinedOfficial Fix0.03CVE-2021-28170
04/19/20226.26.1Oracle WebLogic Server Console/Samples cross site scriptingWebLogic ServerNot DefinedOfficial Fix0.04CVE-2021-41184
04/19/20226.15.9Oracle WebLogic Server Console unknown vulnerabilityWebLogic ServerNot DefinedOfficial Fix0.02CVE-2022-21453
04/19/20226.56.3Oracle WebLogic Server Third Party Tools denial of serviceWebLogic ServerNot DefinedOfficial Fix0.04CVE-2022-23437
04/19/20227.57.3Oracle WebLogic Server Core denial of serviceWebLogic ServerNot DefinedOfficial Fix0.03CVE-2022-21441
04/19/20229.89.6Oracle WebLogic Server Centralized Third Party Jars sql injectionWebLogic ServerNot DefinedOfficial Fix0.03CVE-2022-23305
04/18/20223.53.5Red Hat WildFly Metrics Data information disclosureWildFlyNot DefinedNot Defined0.04CVE-2021-3503
04/18/20226.36.3WildFly Elytron Undertow session fixiationElytronNot DefinedNot Defined0.11CVE-2021-20324
04/12/20226.36.0SAP NetWeaver Application Server for Java XML Data Archiving Service authorizationNetWeaver Application Server for JavaNot DefinedOfficial Fix0.02CVE-2022-27669
03/12/20223.53.5Red Hat jboss-client information disclosurejboss-clientNot DefinedNot Defined0.05CVE-2022-0853
03/10/20225.55.3SAP NetWeaver Application Server for ABAP authorizationNetWeaver Application Server for ABAPNot DefinedOfficial Fix0.13CVE-2022-26102
02/24/20224.34.2IBM WebSphere Application Server cross-site request forgeryWebSphere Application Server/WebSphere Application Server LibertyNot DefinedOfficial Fix0.04CVE-2021-39038
02/10/20223.53.4SAP NetWeaver Application Server for ABAP SM59 Transaction information disclosureNetWeaver Application Server for ABAP/ABAP PlatformNot DefinedOfficial Fix0.03CVE-2022-22545
02/10/20228.18.0SAP NetWeaver Application Server ABAP request smugglingNetWeaver Application Server ABAP/NetWeaver Application Server Java/ABAP Platform/SAP Content Server/Web DispatcherNot DefinedOfficial Fix0.05CVE-2022-22536
02/10/20224.34.1SAP NetWeaver Application Server for ABAP Web Dispatcher resource consumptionNetWeaver Application Server for ABAP/ABAP PlatformNot DefinedOfficial Fix0.03CVE-2022-22543
02/10/20226.66.5SAP NetWeaver Application Server Java use after freeNetWeaver Application Server JavaNot DefinedOfficial Fix0.09CVE-2022-22533
02/10/20228.07.9SAP NetWeaver Application Server Java Server Request memory corruptionNetWeaver Application Server JavaNot DefinedOfficial Fix0.09CVE-2022-22532
02/05/20224.34.1Apache ActiveMQ Artemis resource consumptionActiveMQ ArtemisNot DefinedOfficial Fix0.04CVE-2022-23913

2255 more entries are not shown

Do you know our Splunk app?

Download it now for free!