Description

Oracle announced a critical patch update to address a vulnerability (CVE-2018-2893) found in its WebLogic Server that affects the product's WLS Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this vulnerability by crafting a Java object to execute arbitrary Java code in the context of the WebLogic server.

The WebLogic remote code execution vulnerability (CVE-2018-2893) has not been fully fixed. The newly fixed vulnerability is assigned CVE-2018-3245.

Remediation

Upgrade to the latest version of Oracle WebLogic Server. This issue was fixed in Oracle Critical Patch Update - October 2018. Or disable/restrict access to T3

References

Oracle Critical Patch Update Advisory - October 2018

Related Vulnerabilities

Hashicorp Consul API is accessible without authentication

WordPress Plugin Maintenance Mode Under Construction Page Landing Page Possible Remote Code Execution (1.0.9)

WordPress Plugin WordPress Shortcodes-Shortcodes Ultimate Remote Code Execution (5.0.0)

Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.5)

Tiki Wiki CMS: Arbitrary Code Execution

Severity

High

Classification

CVE-2018-3245 CWE-502 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Code Execution Acumonitor