Apr 29, 2019
Oracle has fixed a vulnerability in the WebLogic Webserver. This vulnerability is known under the reference number CVE-2019-2725 ans has a CVSS score or 9.8. This vulnerability makes it possible to remotely execute malicious code without any means of authentication. The steps to fix this vulnerability are outlined in MyOracleSupport note 2535708.1.
The successful exploitation of this vulnerability makes it possible to remotely execute malicious code within the Oracle Webserver. Depending on the rights of the Webserver it may be possible for an attacker to install programs, look into data, change or even delete data.
All versions of the Oracle WebLogic Webserver are affected.
There are two workarounds and some patches available to fix this vulnerability:
1. Remove the WLS9_ASYNC and WLS-WSAT components from the WebLogic stack and restart the WebLogic servers. or
2. Change the URL access points to the URL's containing references to /_async/* and /wls-wsat/*.
Oracle has released some patches to fix this vulnerability. Depending on the WebLogic version in use the number of patches can vary. MyOracleSupport note 2535708.1 has all the details.
If you have additional questions please call us at +31 55 5260670 and ask for our Security Officer.