Headline
CVE-2019-2725: Oracle Security Alert CVE-2019-2725
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Click to view our Accessibility Policy
Skip to content
Security Alerts
Oracle Security Alert Advisory - CVE-2019-2725****Description
This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Affected Products and Patch Information
Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.
Security Alert Supported Products and Versions
Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- English text version of the risk matrices
- CVRF XML version of the risk matrices
- Map of CVE to Advisory
- Software Error Correction Support Policy
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:
- Badcode of Knownsec 404 Team: CVE-2019-2725
- Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
- Icematcha of Qianxin Yunying Labs: CVE-2019-2725
- icez of Tophant Competence Center: CVE-2019-2725
- Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
- Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
- Song Keya of Minsheng Banking Corp.: CVE-2019-2725
- Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
- Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2725
- ZengShuai Hao: CVE-2019-2725
- Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2725
Modification History
Date
Note
2019-May-29
Rev 4. Updated Credit Statement.
2019-May-1
Rev 3. Updated Credit Statement.
2019-April-30
Rev 2. Updated WebLogic Server Versions.
2019-April-26
Rev 1. Initial Release.
Oracle Fusion Middleware Risk Matrix
This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1.
CVE#
Product
Component
Protocol
Remote Exploit without Auth.?
CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)
Supported Versions Affected
Notes
Base Score
Attack Vector
Attack Complex
Privs Req’d
User Interact
Scope
Confid- entiality
Inte- grity
Avail- ability
CVE-2019-2725
Oracle WebLogic Server
Web Services
HTTP
Yes
9.8
Network
Low
None
None
Un- changed
High
High
High
10.3.6.0, 12.1.3.0
Why Oracle
- Analyst Reports
- Gartner MQ for Cloud ERP
- Cloud Economics
- Corporate Responsibility
- Diversity and Inclusion
- Security Practices
Learn
- What is cloud computing?
- What is CRM?
- What is Docker?
- What is Kubernetes?
- What is Python?
- What is SaaS?
What’s New
Oracle Supports Ukraine
Oracle CloudWorld
Oracle and Premier League
Oracle Red Bull Racing
Employee Experience Platform
Oracle Support Rewards
© 2022 Oracle
Site Map
Privacy/Do Not Sell My Info
Ad Choices
Careers
Facebook
Twitter
LinkedIn
YouTube