Oracle on Tuesday announced that it has released emergency patches for a critical remote code execution vulnerability affecting WebLogic Server, a Java EE application server that is part of the company’s Fusion Middleware offering.
The security hole, tracked as CVE-2019-2729 with a CVSS score of 9.8, impacts WebLogic versions 10.3.6.0.0, 22.214.171.124.0 and 126.96.36.199.0. The flaw was independently reported to Oracle by nearly a dozen researchers.
According to Oracle, the vulnerability exists due to a deserialization issue related to XMLDecoder and it can be exploited remotely without authentication.
Oracle has advised users to apply the patches released now and install the latest Critical Patch Update (CPU).
In a short blog post, John Heimann, VP of Security Program Management at Oracle, pointed out that CVE-2019-2729 is different from CVE-2019-2725, despite the fact that both are deserialization issues.