Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-2725: Oracle Security Alert CVE-2019-2725

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0 and 12.1.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE
#vulnerability#web#oracle#kubernetes#rce#alibaba#auth#docker
  • Click to view our Accessibility Policy

  • Skip to content

  • Security Alerts

Oracle Security Alert Advisory - CVE-2019-2725****Description

This Security Alert addresses CVE-2019-2725, a deserialization vulnerability in Oracle WebLogic Server. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

  • Oracle Critical Patch Updates, Security Alerts and Bulletins
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
  • Risk Matrix Definitions
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle
  • English text version of the risk matrices
  • CVRF XML version of the risk matrices
  • Map of CVE to Advisory
  • Software Error Correction Support Policy

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

  • Badcode of Knownsec 404 Team: CVE-2019-2725
  • Hongwei Pan of Minsheng Banking Corp.: CVE-2019-2725
  • Icematcha of Qianxin Yunying Labs: CVE-2019-2725
  • icez of Tophant Competence Center: CVE-2019-2725
  • Liao Xinxi of NSFOCUS Security Team: CVE-2019-2725
  • Lin Zheng of Minsheng Banking Corp.: CVE-2019-2725
  • Song Keya of Minsheng Banking Corp.: CVE-2019-2725
  • Tianlei Li of Minsheng Banking Corp.: CVE-2019-2725
  • Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2725
  • ZengShuai Hao: CVE-2019-2725
  • Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2725

Modification History

Date

Note

2019-May-29

Rev 4. Updated Credit Statement.

2019-May-1

Rev 3. Updated Credit Statement.

2019-April-30

Rev 2. Updated WebLogic Server Versions.

2019-April-26

Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the April 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1.

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid- entiality

Inte- grity

Avail- ability

CVE-2019-2725

Oracle WebLogic Server

Web Services

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10.3.6.0, 12.1.3.0

Why Oracle

  • Analyst Reports
  • Gartner MQ for Cloud ERP
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • Oracle Supports Ukraine

  • Oracle CloudWorld

  • Oracle and Premier League

  • Oracle Red Bull Racing

  • Employee Experience Platform

  • Oracle Support Rewards

  • © 2022 Oracle

  • Site Map

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907