Description

The Oracle WebLogic Async Component is vulnerable to a XML Deserialization remote code execution vulnerability. Malicious input passed to the XMLDecoder results in the deserialization of an arbitrary Java serialized object. Unauthenticated attackers can exploit it to remotely execute arbitrary code.

Remediation

Oracle released a Critical Patch Update that fixes this issue. To fix this vulnerability it's recommended to install the Oracle Critical Patch Update from the References section.

References

Oracle Security Alert Advisory - CVE-2019-2725

Related Vulnerabilities

SonicWall SSL-VPN 8.0.0.0 RCE via ShellShock exploit

WordPress Plugin Zingiri Web Shop 'abspath' Parameter Remote File Include (2.4.6)

PHP preg_replace used on user input

ColdFusion CFC Deserialization RCE (CVE-2023-26359/CVE-2023-26360)

RCE with Spring Data Commons

Severity

High

Classification

CVE-2019-2725 CWE-94 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Insecure Deserialization Acumonitor