Oracle WebLogic Server RCE Deserialization Vulnerability

Oracle WebLogic Server RCE Deserialization Vulnerability

abril 18, 2018 | Adeline Zhang

On 17 April, the local time in California, Oracle released its Critical Patch Update(CPU) Advisory in which a critical WebLogic deserialization vulnerability (CVE-2018-2628) allowing remote code execution without authorization was disclosed.

This vulnerability was first discovered by an NSFOCUS researcher, who reported it to Oracle immediately. More information about this vulnerability together with NSFOCUS’s technical protection solution will be released soon on the blog.

Reference link:

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Affected versions:

  • Weblogic 10.3.6.0
  • Weblogic 12.1.3.0
  • Weblogic 12.2.1.2
  • Weblogic 12.2.1.3

Earlier versions already not supported by Oracle are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Recommended Solutions

Oracle has released patches in the Critical Patch Update. Users affected by this vulnerability are advised to fix it as soon as possible.

Note: An official licensed account is needed to download the latest patches from Oracle website https://support.oracle.com.