The security hole, tracked as CVE-2019-2729 with a CVSS score of 9.8, impacts WebLogic versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. The flaw was independently reported to Oracle by nearly a dozen researchers.
According to Oracle, the vulnerability exists due to a deserialization issue related to XMLDecoder and it can be exploited remotely without authentication.
Oracle has advised users to apply the patches released now and install the latest Critical Patch Update (CPU).