Oracle released its quarterly Critical Patch Update for July 2021 with 342 fixes. Among them is a critical deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services that’s remotely exploitable without authentication. The flaw is rated 9.8 out of a maximum of 10 on the CVSS severity scale. Earlier this year, Oracle shipped the April 2021 patch with fixes for two bugs (CVE-2021-2135) that could be abused to execute arbitrary code. Oracle customers are advised to move quickly to apply the updates and protect systems against potential exploitation.