CVE-2019-2725

Name of the Vulnerable Software and Affected Versions: Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0

Description: The issue is related to the Oracle WebLogic Server component of Oracle Fusion Middleware, specifically the Web Services subcomponent. It is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise the Oracle WebLogic Server. Successful attacks can result in the takeover of the Oracle WebLogic Server. The vulnerability is associated with flaws in the deserialization mechanism of the WLS9 ASYNC and WLS-WSAT components, which can be exploited by sending a specially crafted HTTP request.

Recommendations: For Oracle WebLogic Server version 10.3.6.0.0, update to a version that includes the official fix. For Oracle WebLogic Server version 12.1.3.0.0, update to a version that includes the official fix. As a temporary workaround, consider restricting access to the Web Services subcomponent until a patch is available.