There is an update available that handles a deserialization vulnerability in Oracle’s WebLogic Server that is remotely exploitable without authentication.
Oracle WebLogic is an application server used for building and hosting Java-EE applications.
Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. There are reports of this vulnerability being actively exploited in April. All versions of Oracle WebLogic with WLS9_ASYNC and WLS-WSAT components enabled.
Due to the severity of this vulnerability, Oracle recommends users apply the updates as soon as possible.
The alert contains a security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication and may end up exploited over a network without requiring user credentials.
Oracle Fusion Middleware products include Oracle Database components affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix.
The vulnerability exists within the WLS9_ASYNC and WLS-WSAT components of WebLogic, which can allow for deserialization of malicious code. An unauthenticated attacker can exploit this issue by sending crafted requests to the affected application. Successful exploitation of this vulnerability could allow for remote code execution with elevated privileges.
Oracle recommended the following actions:
• As a temporary workaround, consider disabling the WLS9_ASYNC and WLS-WSAT components until a patch is available
• When available, apply appropriate updates provided by Oracle to affected systems immediately after appropriate testing
• Apply the Principle of Least Privilege to all systems and services
• Verify no unauthorized system modifications have occurred on system before applying patch
• Monitor intrusion detection systems for any signs of anomalous activity
• Unless required, limit external network access to affected products
Oracle recommends users apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products.