CVE-2019-2725

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0

Description: The issue is related to the Oracle WebLogic Server component of Oracle Fusion Middleware, specifically the Web Services subcomponent. It is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise the Oracle WebLogic Server. Successful attacks can result in the takeover of the Oracle WebLogic Server. The vulnerability is associated with flaws in the deserialization mechanism of the WLS9 ASYNC and WLS-WSAT components, which can be exploited by sending a specially crafted HTTP request.

Recommendations: For Oracle WebLogic Server version 10.3.6.0.0, update to a version that includes the official fix. For Oracle WebLogic Server version 12.1.3.0.0, update to a version that includes the official fix. As a temporary workaround, consider restricting access to the Web Services subcomponent until a patch is available.

Exploit

Fix

Deserialization of Untrusted Data

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-74

Related Identifiers

ALSA-2025_16880

ALT-PU-2020-1123

ALT-PU-2020-1124

ALT-PU-2020-1125

ALT-PU-2020-1126

ALT-PU-2020-1127

ALT-PU-2020-1436

ALT-PU-2020-1437

ALT-PU-2020-1438

ALT-PU-2020-1439

ALT-PU-2020-1440

BDU:2019-01748

CVE-2019-2725

ORACLEWEBLOGICCVE_2019_2725

Affected Products

Alt Linux

Oracle Weblogic Server

Virtualbox

CVE-2019-2725

Weakness Enumeration

Related Identifiers

Affected Products

References · 46