Another Oracle WebLogic Server RCE under active exploitation

Oracle has released an out-of-band fix for CVE-2019-2729, a critical deserialization vulnerability in a number of versions of Oracle WebLogic Server, and is urging customers to apply the security update as soon as possible.

CVE-2019-2729

Speed is of the essence as, according to KnownSec 404 researchers, the vulnerability is already being exploited in the wild.

About the vulnerability (CVE-2019-2729)

“This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle noted.

If this sounds familiar, it’s because the a similar (but distinct) vulnerability (CVE-2019-2725) was revealed and fixed in April and has been actively exploited by attackers to deliver ransomware and cryptominers.

KnownSec 404 researchers say that CVE-2019-2729 is, in fact, based on and bypasses the patch for CVE-2019–2725.

Before Oracle released the patch, KnownSec 404 advised users to mitigate the risk by:

  • Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or by
  • Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.

This advice is still valid for those who can’t quickly upgrade their WebLogic installation.

The only good news is that, unlike CVE-2019-2725, CVE-2019-2729 does not affect all WebLogic versions, just 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0.

Oracle WebLogic Server is a preferred target

Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases.

It’s often used by organizations and connected to other enterprise systems, so it can serve as a stepping stone for attackers looking to steal sensitive data. Still, it is mostly targeted for its abundant resources, which attackers want to use to covertly mine cryptocurrency.