New Zero-day flaw discovered in Oracle Web logic server let attackers exploit this vulnerability to remotely execute commands without authorization.
An Oracle web Logic component wls9_async and wls-wsat trigger this deserialization remote command execution vulnerability and it affects all the Weblogic component wls9_async_response.war and wls-wsat.war enabled versions (including the current version).
WebLogic Server is a Java EE application server developed by Oracle Corporation for cloud environments and traditional environments.
A wls9_async_response component is enabled by default in some versions of WebLogic and provides asynchronous communication services for WebLogic Server. When it performing the deserializing input information, a WAR package get distorted.
By taking advantage of this flaw, the attacker can send a carefully constructed malicious HTTP request to gain the permissions of the target server and execute the command remotely without authorization.
To read the original article: