The bug bypasses a previously fixed flaw and researchers say it is actively used in attacks. The issue is now tracked CVE-2019-2729 and it is deserialization via XMLDecoder in Oracle WebLogic Server Web Services. The bug may be exploited over a network without the need for a username and password. Oracle on Tuesday announced a patch for a remote code execution vulnerability affecting specific versions of the Web Logic Server. There are almost 42,000 instances of Oracle’s Web logic Server deployed in 2019.
Source: https://www.bleepingcomputer.com/news/security/oracle-fixes-critical-bug-in-weblogic-server-web-services/