Oracle has released a new security alert that addresses a critical vulnerability in Oracle WebLogic Server that has been exploited in the wild.
Oracle WebLogic is a Java EE application server used for building and hosting web and e-commerce applications.
The update fixes a deserialization vulnerability CVE-2019-2725 in Oracle WebLogic Server that could result in remote code execution. An attacker could remotely exploit the vulnerability without authentication (i.e., without need for username and password). Oracle provided a patch for Oracle Fusion Middleware that fixes the WebLogic vulnerability.
A new alert and threat intelligence report warns this vulnerability is also being actively exploited in the wild in April 2019.
Impacted products include Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, as well as all versions of Oracle WebLogic with WLS9_ASYNC and WLS-WSAT components enabled.
The CVSS base score of this critical severity vulnerability is rated quite high at 9.8 (10 being the highest). Oracle strongly recommends that customers apply the updates provided in the Security Alert as soon as possible.