What Does the CVE-2019-2729 Oracle Security Alert Mean for Me?
A new CVE security alert has been identified in Oracle Weblogic versions 10.3.6.0.0, 188.8.131.52.0, and 184.108.40.206.0.
This critical vulnerability will allow any attacker with network access to the Weblogic server, and – without having to provide a username and password – take control of the server and run any code on the server.
Ndevr strongly recommend that all Weblogic systems are patched.
The fix for the vulnerability has been released as a Security patch that needs to be applied over either the January 2019 or April 2019 Critical Patch Update (CPU). The steps to apply the fix are therefore to first apply the April 2019 CPU (Patch 29016089) and then apply the Security patch (Patch 29921455).
CVE security alert for older Weblogic versions
These are no longer patched by Oracle and may be vulnerable.
Ndevr recommend that any servers running older versions of Weblogic are patched to the latest version supported by your JD Edwards Tools release, and then patched as above to mitigate any risk.