CVE-2019-2418

Name of the Vulnerable Software and Affected Versions Oracle WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.3

Description The issue is related to inadequate access control in the WLS Core Components subcomponent of Oracle WebLogic Server, allowing an unauthenticated attacker with network access via T3 to compromise the server. Successful attacks can result in unauthorized update, insert, or delete access to some of the server's accessible data, as well as unauthorized read access to a subset of the data. Additionally, attacks can cause a partial denial of service (DOS) of Oracle WebLogic Server. Although the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.

Recommendations For versions 10.3.6.0, 12.1.3.0, and 12.2.1.3, consider restricting access to the T3 protocol to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider disabling any non-essential features or components that utilize the WLS Core Components subcomponent until the issue is resolved. Avoid using the vulnerable server for sensitive operations until the vulnerability is fixed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.