My Oracle Support Banner

Assistance With Patching WebLogic Vulnerabilities (Doc ID 2635817.1)

Last updated on FEBRUARY 04, 2020

Applies to:

Oracle Communications Converged Application Server - Version 7.1 and later
Information in this document applies to any platform.

Goal

Assistance with patching WebLogic vulnerabilities.

How to address the following vulnerbilities on weblogic 12.2.1.3.0?
- The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the WLS Security component due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons File Upload library. An unauthenticated, remote attacker can exploit this, via a crafted a DiskFileItem object, to execute arbitrary code in the context of the WebLogic server.

- The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.

Note that this plugin does not attempt to exploit this RCE directly and instead checks for the presence of the patch Oracle supplied in the April 2018 critical patch update (CPU).

- The remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.