Oracle has recently addressed a critical vulnerability affecting its WebLogic servers. Users must ensure they update their systems quickly as this WebLogic zero-day bug is presently under active exploitation. The bug, upon exploit, can allow an attacker to hijack a users’ systems.
Actively Exploited WebLogic Zero-Day Bug
Reportedly, a critical WebLogic zero-day vulnerability has posed a threat to users’ online security. This bug can allow an attacker to take control of the target devices and execute remote code.
As stated in Oracle’s advisory,
This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
This vulnerability, CVE-2019-2729 has earned a critical severity level, with a CVSS base score of 9.8.
According to a study by KnownSec 404 Team, this vulnerability is presently under wild exploits. While they considered this vulnerability a bypass for the patch of a previously known bug (CVE-2019–2725), Oracle clarified that the recent vulnerability is unrelated to it. In a blog post, John Heimann, VP Security Program Management, clarified,
Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability.
Oracle Released A Fix
A number of researchers reported the new WebLogic zero-day vulnerability to Oracle. The bug allegedly affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0.
Consequently, the vendors patched the bug and released the fix. Because of the severity of the vulnerability, and the active exploitations, Oracle recommends users to ensure a quick update of their respective systems.
Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible.
The KnownSec 404 Team also recommended some temporary solutions to mitigate the flaw.
Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service. Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.
Let us know your thoughts in the comments.