Oracle released its quarterly report on Tuesday Critical hotfix update for July 2021 with 342 fixes spanning multiple products, some of which could be exploited by a remote attacker to take control of an affected system.
The main one of them is CVE-2019-2729, a critical deserialization vulnerability through XMLDecoder in Oracle WebLogic Server Web Services that is remotely exploitable without authentication. It should be noted that the weakness was originally corrected as part of a out-of-band security update in June 2019.
Oracle WebLogic Server is an application server that functions as a platform for developing, deploying, and running enterprise Java applications.
The flaw, rated 9.8 out of a maximum of 10 on the CVSS severity scale, affects versions 18.104.22.168 and 22.214.171.124 of WebLogic Server and exists within Oracle Hyperion infrastructure technology.
Six other flaws were also fixed in WebLogic Server, three of which received a CVSS score of 9.8 out of 10 –
This is far from the first time that critical issues have been discovered in WebLogic Server. Earlier this year, Oracle delivered the April 2021 Patch with fixes for two bugs (CVE-2021-2135 and CVE-2021-2136), among others that could be abused to execute arbitrary code.
Oracle customers are advised to act quickly to apply updates and protect systems from potential exploitation.