A new critical vulnerability has been identified in Oracle Weblogic versions 10.3.6.0.0, 184.108.40.206.0, and 220.127.116.11.0.
This vulnerability will allow any attacker with network access to the Weblogic server, and – without having to provide a username and password – take control of the server and run any code on the server.
Ndevr strongly recommend that all Weblogic systems are patched.
The fix for the vulnerability has been released as a Security patch that needs to be applied over either the January 2019 or April 2019 Critical Patch Update (CPU). The steps to apply the fix are therefore to first apply the April 2019 CPU (Patch 29016089) and then apply the Security patch (Patch 29921455).
What about older Weblogic versions ?
These are no longer patched by Oracle and may be vulnerable.
Ndevr recommend that any servers running older versions of Weblogic are patched to the lastest version supported by your JD Edwards Tools release, and then patched as above to mitigate any risk.
Please contact firstname.lastname@example.org for any further information or assistance to ensure that you remain protected from the vulnerability.