[German]There is a serious remote code execution (RCE) vulnerability CVE-2021-2109 in Oracle WebLogic Server that allows the server to be taken over. Oracle released a patch to close the vulnerability in January 2021.
I became aware of the issue via a tweet, though the web page in question is in Chinese, so it's going to be difficult with the details.
Tenable has compiled some information in this short post. There is a vulnerability CVE-2021-2109 in Oracle WebLogic Server of Oracle Fusion Middleware (component: Console). The following versions are affected:
- 10.3.6.0.0
- 12.1.3.0.0
- 12.2.1.3.0
- 12.2.1.4.0
- 14.1.1.0.0
The vulnerability is easily exploitable and allows highly privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks against this vulnerability can lead to the takeover of Oracle WebLogic Server. The vulnerability has been assigned a CVSS 3.1 Base Score of 7.2 (max. 10). Oracle has issued this update advisory in January 2021, which also addresses the vulnerability.