Oracle has released a patch update addressing multiple vulnerabilities in its July 2022 Patch Tuesday edition. This patch update consists of 349 critical security patches in various Oracle product families. The July 2022 Critical Patch Update contains 261 out of 349 security updates that address non-Oracle CVEs, or security flaws in third-party products (such open-source … Continue reading “Oracle Releases 349 Security Patches for Various Oracle Products in July 2022 Patch Tuesday”
Tag: Oracle WebLogic
Oracle Releases 520 Security Patches for Various Oracle Product Families in April 2022 Patch Tuesday
Oracle has released a critical patch update for multiple vulnerabilities in its April 2022 Patch Tuesday. This patch update consists of 520 security patches in various Oracle product families. Out of these 520 security patches, 415 are for non-Oracle CVEs that include fixes for security issues in third-party products that are exploitable in the … Continue reading “Oracle Releases 520 Security Patches for Various Oracle Product Families in April 2022 Patch Tuesday”
Oracle Weblogic Insecure Deserialization with IIOP(CVE-2020-2551)
Overview On January 14, 2020, Oracle disclosed the critical vulnerability CVE-2020-2551 . Vulnerability has been discovered in the Oracle WebLogic Server, component of Oracle Fusion Middleware using IIOP protocol. Flaw existed the way WebLogic Server handled IIOP deserialization. It led to remote code execution using IIOP protocol via Malicious JNDI Lookup. Before looking into vulnerability, … Continue reading “Oracle Weblogic Insecure Deserialization with IIOP(CVE-2020-2551)”
Oracle WebLogic Deserialization Remote Code Execution Vulnerability (CNVD-C-2019-48814/CVE-2019-2725)
Oracle WebLogic is an application server used for building and hosting Java-EE applications. A highly critical remote code execution vulnerability has been discovered in Oracle WebLogic application servers running the WLS9_ASYNC and WLS-WSAT components. The vulnerability was initially disclosed by China National Vulnerability Database under the tracker number CNVD-C-2019-48814. Later the vulnerability is assigned to … Continue reading “Oracle WebLogic Deserialization Remote Code Execution Vulnerability (CNVD-C-2019-48814/CVE-2019-2725)”
Oracle WebLogic Server XML External Entity Vulnerability (CVE-2018-3246)
Oracle has addressed several WebLogic Server vulnerabilities this Patch Tuesday. In this post we will discuss one of the critical vulnerbilities, CVE-2018-3246. It’s an XML External Entity (XXE) vulnerability that affects Oracle WebLogic Server versions 12.1.3.0, and 12.2.1.3. Vulnerability Analysis: The vulnerability exists in a component that allows users to upload configuration files in an XML … Continue reading “Oracle WebLogic Server XML External Entity Vulnerability (CVE-2018-3246)”
WebLogic WLS Deserialization RCE : CVE-2017-10271
In the month of October 2017 a Java deserialization vulnerability was disclosed to Oracle. The vulnerability is assigned CVE-2017-10271. Oracle has addressed this issue by releasing patches in October. Upon successful exploitation an attacker can achieve remote code execution with out authentication. An attacker sends a custom XML request to CoordinatorPortType web service, this causes … Continue reading “WebLogic WLS Deserialization RCE : CVE-2017-10271”