Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts. Update May 3, 2019: The solution section below has been updated to reflect the available Oracle updates, and the mitigation section has been revised for clarity.

Oracle WebLogic Affected by Unauthenticated Remote Code Execution Vulnerability (CVE-2019-2725)

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A vulnerability in Oracle WebLogic Server 10.3.6.0.0 & 12.1.3.0.0 allows an unauthenticated attacker with HTTP access to the service to obtain arbitrary code execution due to an insecure deserialization.

Oracle proposes the associated patches on its site to fix the vulnerability.

The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities:

  - An unspecified vulnerability allows a remote unauthenticated     attacker with network access to compromise and takeover the     StorageTek Tape Analytics SW Tool. (CVE-2019-2725) (CVE-2019-2729)

  - An unspecified vulnerability allows a remote unauthenticated     attacker with network access to compromise and takeover the     Tape Virtual Storage Manager GUI. (CVE-2019-2725)

  - An unspecified vulnerability in the WLS Core Component allows an     authenticated low privileged attacker with network     access via HTTP to compromise Oracle WebLogic Server, resulting     in unauthorized update, insert or delete access to Oracle     WebLogic Server accessible data. (CVE-2019-2824) (CVE-2019-2827)

  - An unspecified vulnerability in the jQuery Component allows an     authenticated low privileged attacker with network     access via HTTP to compromise Oracle WebLogic Server, resulting     in unauthorized update, insert or delete access to Oracle     WebLogic Server accessible data. Successful attacks require     human interaction from actions from another Weblogic user.
    (CVE-2016-71030)

  - An unspecified vulnerability in the Application Container - JavaEE     Component of Oracle WebLogic Server allows an unauthenticated     attacker with network access via T3 to compromise Oracle WebLogic     Server. A successful attack of this vulnerability could result in     takeover of Oracle WebLogic Server. (CVE-2019-2856)     
  - An unspecified vulnerability in the Sample apps (Spring Framework)     Component of Oracle WebLogic Server allows an unauthenticated     attacker with network access via HTTP to compromise Oracle WebLogic     Server. A successful attack of this vulnerability could result in     unauthorized ability to cause a hang or frequently repeatable crash     (complete DOS) of Oracle WebLogic Server. (CVE-2018-15756)

The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS9-async component due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.

The version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the WLS9-async component due to unsafe deserialization of XML encoded Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.

ID	Name	Product	Family	Severity
112704	Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution	Web App Scanning	Component Vulnerability	critical
126915	Oracle WebLogic Server Multiple Vulnerabilities (Jul 2019 CPU)	Nessus	Misc.	critical
124338	Oracle WebLogic WLS9-async Remote Code Execution (remote check)	Nessus	Web Servers	critical
124337	Oracle WebLogic Server wls9_async_response / wls-wsat Remote Code Execution	Nessus	Misc.	critical

Detections

Analytics

CVE-2019-2725

critical

Tenable Plugins

critical

critical

critical

critical