Oracle fixes critical RCE vulnerabilities in Weblogic Server

Oracle released its Critical Patch Update for July 2021, it fixes hundreds of flaws, including Critical Remotely Exploitable vulnerabilities in Weblogic Server.

Oracle this week released its quarterly Critical Patch Update for July 2021 that contains 342 new security patches for multiple product families. Some of the vulnerabilities addressed by the IT giant could be remotely exploited by attackers to take control of devices.

One of the most severe issues addressed by Oracle is a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. The CVE-2019-2729 flaw is a remote code execution vulnerability that could be exploited by an unauthenticated attacker.

“This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.” reads the advisory published by Oracle.

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

The vulnerability received a CVSS score of 9.8 out of 10, it resides in the Oracle Hyperion Infrastructure Technology and affects WebLogic Server versions 11.1.2.4 and 11.2.5.0.

The company also addressed other vulnerabilities in WebLogic Server, three of which rated as critical severity:

• CVE-2021-2394 (CVSS score: 9.8)
• CVE-2021-2397 (CVSS score: 9.8)
• CVE-2021-2382 (CVSS score: 9.8)
• CVE-2021-2378 (CVSS score: 7.5)
• CVE-2021-2376 (CVSS score: 7.5)
• CVE-2021-2403 (CVSS score: 5.3)

Oracle urges customers to install security updates immediately.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Weblogic)

[adrotate banner=”5″]

[adrotate banner=”13″]