Oracle announced a critical patch update to address a vulnerability (CVE-2018-2893) found in its WebLogic Server that affects the product's WLS Core Components subcomponent due to unsafe deserialization of Java objects. An unauthenticated, remote attacker can exploit this vulnerability by crafting a Java object to execute arbitrary Java code in the context of the WebLogic server.
The WebLogic remote code execution vulnerability (CVE-2018-2893) has not been fully fixed. The newly fixed vulnerability is assigned CVE-2018-3245.
- Upgrade to the latest version of Oracle WebLogic Server. This issue was fixed in Oracle Critical Patch Update Advisory - July 2018.
- Drupal Core 4.7.x Arbitrary Code Execution (4.7.0 - 4.7.0)
- WordPress Plugin Ultimate Member-User Profile & Membership Remote Code Execution (2.0.32)
- Liferay TunnelServlet Deserialization Remote Code Execution
- Drupal 7 arbitrary PHP code execution and information disclosure
- WordPress Plugin NextGEN Gallery-WordPress Gallery Remote Code Execution (2.1.59)