Another Oracle WebLogic Server RCE under active exploitation
Oracle has released an out-of-band fix for CVE-2019-2729, a critical deserialization vulnerability in a number of versions of Oracle WebLogic Server, and is urging customers to apply the security update as soon as possible.
Speed is of the essence as, according to KnownSec 404 researchers, the vulnerability is already being exploited in the wild.
About the vulnerability (CVE-2019-2729)
“This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle noted.
If this sounds familiar, it’s because the a similar (but distinct) vulnerability (CVE-2019-2725) was revealed and fixed in April and has been actively exploited by attackers to deliver ransomware and cryptominers.
KnownSec 404 researchers say that CVE-2019-2729 is, in fact, based on and bypasses the patch for CVE-2019–2725.
Oracle fixes a bypass for a bypass fix of a bypass that was bypssed during fixing a bug that was used to bypass the bypass fix of a serialization issue in weblogic. https://t.co/dFAzfuQNyd
— Hamid K (@hkashfi) June 16, 2019
Before Oracle released the patch, KnownSec 404 advised users to mitigate the risk by:
- Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or by
- Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.
This advice is still valid for those who can’t quickly upgrade their WebLogic installation.
The only good news is that, unlike CVE-2019-2725, CVE-2019-2729 does not affect all WebLogic versions, just 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0.
Oracle WebLogic Server is a preferred target
Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases.
It’s often used by organizations and connected to other enterprise systems, so it can serve as a stepping stone for attackers looking to steal sensitive data. Still, it is mostly targeted for its abundant resources, which attackers want to use to covertly mine cryptocurrency.