Corporate ADMINs should monitor Oracle Weblogic security releases as applicable to quickly apply needed security fixes as noted below

The news today is full of a new deserialization vulnerability in Oracle WebLogic.  This affects all current versions of the product (the POC is against 10.3, but 12.x versions are also affected).  The vulnerability affects the wls9_async_response package (which is not included by default in all builds), so the workaround is to either ACL the Z/_async/* and /wls-wsat/* paths, or delete wls9_async_response.war.  A successful attack gets the attacker remote code exec on the vulnerable server.

The root cause here seems to be that the affected WAR components ingest and process all serialized data, and have a blacklist of “bad” content.  What this means to me is that we’re likely to see a number of similar vulnerabilities / attacks crop up over the next while, until Oracle changes this approach.  The CVE listed on the CNVD is CVE-2018-2628 and they also list a security tracker link: The security tracker link says there is patch for one of the exploit versions, and that this is being actively being exploited.