                                                   JPCERT-AT-2019-0028
                                                             JPCERT/CC
                                                            2019-06-19

                  <<< JPCERT/CC Alert 2019-06-19 >>>

Alert Regarding Vulnerability (CVE-2019-2729) in Oracle WebLogic Server

        https://www.jpcert.or.jp/english/at/2019/at190028.html


I. Overview
On June 18, 2019 (local time), Oracle released a security advisory
regarding a vulnerability (CVE-2019-2729) in Oracle WebLogic Server.
According to the advisory, Oracle WebLogic Server contains
a deserialization vulnerability. A remote attacker leveraging this
vulnerability may execute arbitrary code.

    Oracle
    Oracle Security Alert Advisory - CVE-2019-2729
    https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html


II. Affected Products
The following versions are affected by this vulnerability.

  - Oracle WebLogic Server 12.2.1.3.0
  - Oracle WebLogic Server 12.1.3.0.0
  - Oracle WebLogic Server 10.3.6.0.0


III. Solution
Oracle has released a patch for Oracle WebLogic Server that addresses
this vulnerability. It is recommended to apply the patch as soon as
possible.

  - Oracle WebLogic Server 12.2.1.3.0 *
  - Oracle WebLogic Server 12.1.3.0.0 *
  - Oracle WebLogic Server 10.3.6.0.0 *

* As of June 19 (JST), the details of patch information cannot be
confirmed in public. For more detail of the vulnerability, please
contact Oracle.

Some applications that use affected products may not run properly
after applying patch. Please apply the patch after considering any
possible impacts to applications that you may use.


IV. References
    Oracle
    Oracle Security Alert Advisory - CVE-2019-2729
    https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html

    Oracle
    Security Alert CVE-2019-2729 Released
    https://blogs.oracle.com/security/security-alert-cve-2019-2729-released

    Oracle
    Lifetime Support Stages for Your Oracle Products
    https://www.oracle.com/support/lifetime-support/


If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-6271-8901  FAX: +81-3-6271-8908
https://www.jpcert.or.jp/english/