Oracle is urging customers to apply its April 2020 Critical Patch Update that addresses 405 flaws, including a number of vulnerabilities that have been actively targeted by hackers.
In a recent blog post Eric Maurice, director of security assurance at Oracle, said the company has received “reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2020-2883, which affects multiple versions of Oracle WebLogic Server.”
Oracle WebLogic Server is a popular application server used in building and deploying enterprise Java EE applications.
The vulnerability in question exists due to insecure input validation when processing serialized T3 Protocol data in the Oracle WebLogic Server and allows a remote attacker to execute arbitrary code on a vulnerable system by passing specially crafted data to the application.
CVE-2020-2883 is one of the several WebLogic Server vulnerabilities for which proof-of-concept (PoC) code was published on Github last week.
Although Maurice only mentioned one vulnerability under active attacks, he advised users to install the latest updates as soon as possible.