Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-2729: Oracle Security Alert Advisory - CVE-2019-2729

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Web Services). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE
#vulnerability#web#oracle#kubernetes#rce#alibaba#auth#docker#ssl
  • Click to view our Accessibility Policy

  • Skip to content

  • Security Alerts

Oracle Security Alert Advisory - CVE-2019-2729****Description

This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.

Affected Products and Patch Information

Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Security Alert Supported Products and Versions

Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.

Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.

References

  • Oracle Critical Patch Updates, Security Alerts and Bulletins
  • Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
  • Risk Matrix Definitions
  • Use of Common Vulnerability Scoring System (CVSS) by Oracle
  • English text version of the risk matrices
  • CVRF XML version of the risk matrices
  • Map of CVE to Advisory
  • Software Error Correction Support Policy

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here.

Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0).

Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies.

The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS.

Credit Statement

The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:

  • Badcode of Knownsec 404 Team: CVE-2019-2729
  • Fangrun Li of Creditease Security Team: CVE-2019-2729
  • Foren Lim: CVE-2019-2729
  • Jkgh006: CVE-2019-2729
  • Lucifaer of 360CERT at QiHu360: CVE-2019-2729
  • Maoxin Lin of Dbappsecurity Team: CVE-2019-2729
  • orich1 of CUIT D0g3 Secure Team: CVE-2019-2729
  • WenHui Wang of State Grid: CVE-2019-2729
  • Xu Yuanzhen of Alibaba Cloud Security Team: CVE-2019-2729
  • Ye Zhipeng of Qianxin Yunying Labs: CVE-2019-2729
  • Yuxuan Chen: CVE-2019-2729
  • Zhao Chang of Venustech ADLab: CVE-2019-2729
  • Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group: CVE-2019-2729

Modification History

Date

Note

2019-July-11

Rev 4. Updated credit statement.

2019-June-21

Rev 3. Updated credit statement.

2019-June-20

Rev 2. Removed irrelevant paragraph about Oracle Database.

2019-June-18

Rev 1. Initial Release.

Oracle Fusion Middleware Risk Matrix

This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.

CVE#

Product

Component

Protocol

Remote Exploit without Auth.?

CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)

Supported Versions Affected

Notes

Base Score

Attack Vector

Attack Complex

Privs Req’d

User Interact

Scope

Confid­entiality

Inte­grity

Avail­ability

CVE-2019-2729

Oracle WebLogic Server

Web Services

HTTP

Yes

9.8

Network

Low

None

None

Un- changed

High

High

High

10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

Why Oracle

  • Analyst Reports
  • Best cloud-based ERP
  • Cloud Economics
  • Corporate Responsibility
  • Diversity and Inclusion
  • Security Practices

Learn

  • What is cloud computing?
  • What is CRM?
  • What is Docker?
  • What is Kubernetes?
  • What is Python?
  • What is SaaS?

What’s New

  • News

  • Oracle CloudWorld

  • Oracle Supports Ukraine

  • Oracle Red Bull Racing

  • Oracle Sustainability

  • Employee Experience Platform

  • © 2022 Oracle

  • Privacy/Do Not Sell My Info

  • Ad Choices

  • Careers

  • Facebook

  • Twitter

  • LinkedIn

  • YouTube

Related news

CVE-2021-2369: Oracle Critical Patch Update Advisory - July 2021

Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...

CVE-2020-2978: Oracle Critical Patch Update Advisory - July 2020

Vulnerability in the Oracle Database - Enterprise Edition component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1, 18c and 19c. Easily exploitable vulnerability allows high privileged attacker having DBA role account privilege with network access via Oracle Net to compromise Oracle Database - Enterprise Edition. While the vulnerability is in Oracle Database - Enterprise Edition, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database - Enterprise Edition accessible data. CVSS 3.1 Base Score 4.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N).

CVE-2020-2956: Oracle Critical Patch Update Advisory - April 2020

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Hierarchy Diagrammers). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.9. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CVE-2020-2548: Oracle Critical Patch Update Advisory - January 2020

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: WLS Core Components). The supported version that is affected is 10.3.6.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

CVE-2019-2808: Oracle Critical Patch Update Advisory - July 2019

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Optimizer). Supported versions that are affected are 8.0.16 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.0 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907