Critical Vulnerabilities in Oracle WebLogic Server

Published on 22 Jul 2021

Updated on 22 Jul 2021

Oracle has released a security update to address two critical vulnerabilities (CVE-2021-2394 and CVE-2021-2397) present in its WebLogic Server product.

The two vulnerabilities may allow an unauthenticated attacker with network access via T3, Internet Inter-ORB Protocol (IIOP) to compromise a vulnerable server. Successful exploitation can result in a takeover of the server. Oracle has assessed that these vulnerabilities are easily exploitable.

Both vulnerabilities are present in Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

Administrators and users of affected product versions are advised to apply the latest security updates immediately.

More information is available here:

https://www.oracle.com/security-alerts/cpujul2021.html
https://nvd.nist.gov/vuln/detail/CVE-2021-2394
https://nvd.nist.gov/vuln/detail/CVE-2021-2397