The U.S. Cybersecurity and Infrastructure Security Agency has ordered federal agencies to urgently patch a two-year-old vulnerability in Oracle WebLogic Server, warning that the flaw is now being actively exploited.