Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution

critical Web App Scanning Plugin ID 112704

Synopsis

Oracle WebLogic 10.3.6.0.0 / 12.1.3.0.0 Remote Code Execution

Description

A vulnerability in Oracle WebLogic Server 10.3.6.0.0 & 12.1.3.0.0 allows an unauthenticated attacker with HTTP access to the service to obtain arbitrary code execution due to an insecure deserialization.

Oracle proposes the associated patches on its site to fix the vulnerability.

Solution

Apply the security patches available on Oracle's website.

See Also

https://www.oracle.com/security-alerts/alert-cve-2019-2725.html

Plugin Details

Severity: Critical

ID: 112704

Type: remote

Published: 2/19/2021

Updated: 9/7/2021

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Critical

Score: 9.5

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-2725

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score Source: CVE-2019-2725

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 4/26/2019

CISA Known Exploited Vulnerability Due Dates: 7/10/2022

Reference Information

CVE: CVE-2019-2725

BID: 108074