{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-037.pdf"
    },
    "title": "Critical Vulnerabilities in Oracle WebLogic Server",
    "serial_number": "2021-037",
    "publish_date": "22-07-2021 14:24:00",
    "description": "Within the Critical Patch Update for July 2021 addressing hundreds of vulnerabilities across multiple products, Oracle released information about critical vulnerabilities affecting WebLogic Server.",
    "url_title": "2021-037",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in\u00a0Oracle\u00a0WebLogic\u00a0Server'\nversion: '1.0'\nnumber: '2021-037'\ndate: 'July 22, 2021'\n---\n\n_History:_\n\n* _22/07/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nWithin the Critical Patch Update for July 2021 addressing hundreds of vulnerabilities across multiple products [1], Oracle released information about  **critical vulnerabilities affecting WebLogic Server**.\n\n# Technical Details\n\nOracle WebLogic Server is an application server used as a platform for developing, deploying and running enterprise Java-based applications. In the Critical Patch Update for July 2021, there are fixes for several WebLogic Server flaws, four of which have been assigned a CVSS score of 9.8 out of 10:\n\n- CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services that is remotely exploitable without authentication [2],\n- CVE-2021-2394, easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server [3],\n- CVE-2021-2397, similar to CVE-2021-2394 [4],\n- CVE-2021-2382, similar to CVE-2021-2394 [5].\n\n# Affected Products\n\nThe vulnerability exists in Oracle WebLogic Server, specific versions mentioned in [2], [3], [4], [5].\n\n# Recommendations\n\nIt is recommended to apply the necessary patches from the Critical Patch Update for July 2021 [1] as soon as possible.\n\nCERT-EU recommends updating the vulnerable application as soon as possible.\n\n# References\n\n[1] <https://www.oracle.com/security-alerts/cpujul2021.html>\n\n[2] <https://www.oracle.com/security-alerts/alert-cve-2019-2729.html>\n\n[3] <https://nvd.nist.gov/vuln/detail/CVE-2021-2394>\n\n[4] <https://nvd.nist.gov/vuln/detail/CVE-2021-2397>\n\n[5] <https://nvd.nist.gov/vuln/detail/CVE-2021-2397>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>22/07/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Within the Critical Patch Update for July 2021 addressing hundreds of vulnerabilities across multiple products [1], Oracle released information about <strong>critical vulnerabilities affecting WebLogic Server</strong>.</p><h2 id=\"technical-details\">Technical Details</h2><p>Oracle WebLogic Server is an application server used as a platform for developing, deploying and running enterprise Java-based applications. In the Critical Patch Update for July 2021, there are fixes for several WebLogic Server flaws, four of which have been assigned a CVSS score of 9.8 out of 10:</p><ul><li>CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services that is remotely exploitable without authentication [2],</li><li>CVE-2021-2394, easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server [3],</li><li>CVE-2021-2397, similar to CVE-2021-2394 [4],</li><li>CVE-2021-2382, similar to CVE-2021-2394 [5].</li></ul><h2 id=\"affected-products\">Affected Products</h2><p>The vulnerability exists in Oracle WebLogic Server, specific versions mentioned in [2], [3], [4], [5].</p><h2 id=\"recommendations\">Recommendations</h2><p>It is recommended to apply the necessary patches from the Critical Patch Update for July 2021 [1] as soon as possible.</p><p>CERT-EU recommends updating the vulnerable application as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.oracle.com/security-alerts/cpujul2021.html\">https://www.oracle.com/security-alerts/cpujul2021.html</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.oracle.com/security-alerts/alert-cve-2019-2729.html\">https://www.oracle.com/security-alerts/alert-cve-2019-2729.html</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2021-2394\">https://nvd.nist.gov/vuln/detail/CVE-2021-2394</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2021-2397\">https://nvd.nist.gov/vuln/detail/CVE-2021-2397</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://nvd.nist.gov/vuln/detail/CVE-2021-2397\">https://nvd.nist.gov/vuln/detail/CVE-2021-2397</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}