CVE-2025-21549
Published: 21 January 2025
Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). The supported version that is affected is 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP/2 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Security Summary
CVE-2025-21549 is a vulnerability in the Core component of Oracle WebLogic Server, which is part of the Oracle Fusion Middleware product. The supported version affected is 14.1.1.0.0. This easily exploitable issue, associated with CWE-400 (Uncontrolled Resource Consumption), enables attackers to compromise the server through HTTP/2 traffic. It has a CVSS 3.1 base score of 7.5, reflecting high availability impact with no effects on confidentiality or integrity, as detailed in the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
An unauthenticated attacker with network access via HTTP/2 can exploit this vulnerability to cause a hang or frequently repeatable crash, resulting in a complete denial of service (DoS) against Oracle WebLogic Server. No privileges, user interaction, or special scope changes are required, making it accessible to remote actors over the network with low complexity.
Mitigation details are provided in the Oracle Critical Patch Update advisory for January 2025, available at https://www.oracle.com/security-alerts/cpujan2025.html.
Details
- CWE(s)