On 17 April, the local time in California, Oracle released its Critical Patch Update(CPU) Advisory in which a critical WebLogic deserialization vulnerability (CVE-2018-2628) allowing remote code execution without authorization was disclosed.
This vulnerability was first discovered by an NSFOCUS researcher, who reported it to Oracle immediately. More information about this vulnerability together with NSFOCUS’s technical protection solution will be released soon on the blog.
- Weblogic 10.3.6.0
- Weblogic 220.127.116.11
- Weblogic 18.104.22.168
- Weblogic 22.214.171.124
Earlier versions already not supported by Oracle are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Oracle has released patches in the Critical Patch Update. Users affected by this vulnerability are advised to fix it as soon as possible.
Note: An official licensed account is needed to download the latest patches from Oracle website https://support.oracle.com.