Overview

On October 15, 2019, local time, Oracle released its own security advisory and third-party security advisories for its October 2019 Critical Patch Update (CPU) which fixes 240 vulnerabilities of varying severity levels across the product families. For details about affected products and available patches, visit the appendix. (mais…)

Overview

Recently, the NSFOCUS security team has found that the Oracle Weblogic vulnerability is exploited in the wild. Its attack signature is similar to that of the CVE-2019-2725 vulnerability. The attack can bypass the latest security patch released by Oracle in April. This vulnerability exists because no proper sanitization is performed when deserialized information is handled. By sending a crafted malicious HTTP request, attackers could exploit this vulnerability to gain server privileges and remotely execute arbitrary code in an unauthorized manner.

(mais…)

1 Vulnerability Overview

On April 17, China National Vulnerability Database (CNVD) published details of a remote code execution vulnerability in Oracle WebLogic Server. Specifically, this vulnerability exists in the wls9_async_response.war component that comes with Oracle WebLogic Server as this component fails to properly deserialize the input information. An unauthorized attacker could exploit this vulnerability to gain server privileges for remote code execution by sending a carefully crafted malicious HTTP request. (mais…)