| VID |
22918 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
Servlet |
| Detailed Description |
The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS9-async component due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
* References:
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
https://medium.com/@knownsec404team/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93
* Platforms Affected:
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0
Any operating system Any version |
| Recommendation |
Applay patch, available from the Oracle WebLogic Server web site at https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html |
| Related URL |
CVE-2019-2725 (CVE) |
| Related URL |
108074 (SecurityFocus) |
| Related URL |
(ISS) |
|
