--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Critical Vulnerabilities in Oracle WebLogic Server' version: '1.0' number: '2021-037' date: 'July 22, 2021' --- _History:_ * _22/07/2021 --- v1.0 -- Initial publication_ # Summary Within the Critical Patch Update for July 2021 addressing hundreds of vulnerabilities across multiple products [1], Oracle released information about **critical vulnerabilities affecting WebLogic Server**. # Technical Details Oracle WebLogic Server is an application server used as a platform for developing, deploying and running enterprise Java-based applications. In the Critical Patch Update for July 2021, there are fixes for several WebLogic Server flaws, four of which have been assigned a CVSS score of 9.8 out of 10: - CVE-2019-2729, a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services that is remotely exploitable without authentication [2], - CVE-2021-2394, easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server [3], - CVE-2021-2397, similar to CVE-2021-2394 [4], - CVE-2021-2382, similar to CVE-2021-2394 [5]. # Affected Products The vulnerability exists in Oracle WebLogic Server, specific versions mentioned in [2], [3], [4], [5]. # Recommendations It is recommended to apply the necessary patches from the Critical Patch Update for July 2021 [1] as soon as possible. CERT-EU recommends updating the vulnerable application as soon as possible. # References [1] [2] [3] [4] [5]