Oracle has released an out-of-band emergency software update to patch a newly discovered critical vulnerability in the WebLogic Server.
According to Oracle, the vulnerability—which can be identified as CVE-2019-2729 and has a CVSS score of 9.8 out of 10—is already being exploited in the wild by an unnamed group of attackers.
Oracle WebLogic is a Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud, which is popular across both, cloud environment and conventional environments.
The reported vulnerability is a deserialisation issue via XMLDecoder in Oracle WebLogic Server Web Services that could allow unauthorised remote attackers to execute arbitrary code on the targeted servers and take control over them.
“This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” the advisory said.
In a separate note, the company also revealed that the flaw is related to a previously known deserialisation vulnerability (CVE-2019-2725) in Oracle WebLogic Server that it patched in April this year.
Reported independently by a separate group of individuals and organisations, the new vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 188.8.131.52.0, and 184.108.40.206.0
images from Hacker News