Oracle has released an out-of-band emergency software update to patch a newly discovered critical vulnerability in the WebLogic Server.
The remote code execution flaw (CVE-2019-2729) impacts a number of versions of Oracle’s WebLogic Server, used for building and deploying enterprise applications. The vulnerability has a CVSS score of 9.8 out of 10. Part of its seriousness is because it is remotely exploitable without authentication.
Oracle WebLogic is a Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud, which is popular across both, cloud environment and conventional environments.
The issue stems from a deserialization vulnerability in the XMLDecoder in Oracle’s WebLogic Server web services. The XMLDecoder class is used to read XML documents created using the XMLEncoder according to Oracle.
“This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” the advisory said.
However, John Heimann, vice president security program management shut down researchers’ claims that the newly-disclosed flaw is related to CVE-2019–2725, saying the two are unrelated: “Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability,” he said in a Tuesday security alert.
Neither Oracle nor KnownSec 404 have responded to requests for comment regarding the two contradicting reports.
Due to the severity of this vulnerability, the company has recommended affected users and companies to install available security updates as soon as possible.