Using Oracle WebLogic? Put down your coffee, drop out of Discord, grab this patch right now: Vuln under attack

Emergency security fix emitted for remote code exec hole exploited in the wild

weeping techie with crumpled coffee cups

Oracle has issued an emergency critical update to address a remote code execution vulnerability in its WebLogic Server component for Fusion Middleware – a flaw miscreants are exploiting in the wild to hijack systems.

The programming blunder, designated CVE-2019-2729, is present in WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. The vulnerability itself is caused by a deserialization bug in the XMLDecoder for WebLogic Server Web Services.

When exploited, a remote attacker can execute malicious code on the targeted machine via an HTTP request without any credentials or authorization, a nightmare scenario for a server platform, and especially one facing the public internet.

Making the fix for this flaw even more urgent is the report from US-CERT that working exploits for the vulnerability have already been spotted being wielded by scumbags in the wild.

Oracle recommends that admins test and install the update as soon as possible.

In posting the patch, Oracle credited a crop of 11 security researchers for spotting and reporting the vulnerability and exploits: Zhiyi Zhang from Codesafe Team of Legendsec at Qi'anxin Group, Zhao Chang of Venustech ADLab, Yuxuan Chen, Ye Zhipeng of Qianxin Yunying Labs, WenHui Wang of State Grid, Sukaralin, orich1 of CUIT D0g3 Secure Team, Lucifaer, Foren Lim, Fangrun Li of Creditease Security Team, and Badcode of Knownsec 404 Team.

Speaking of Knownsec 404, it has mitigations and some more details here.

This patch comes just one day after Oracle patched a similar deserialization flaw in WebLogic Server, designated CVE-2019-2725. Like today's release, that bug allows for remote code execution on the vulnerable servers and was likewise considered to be a critical, ASAP patch install. Oracle did not say if that vulnerability is also under active exploit.

Developers who have yet to install one or both of the fixes would be well-advised to read and follow Oracle's advisories. ®




Biting the hand that feeds IT © 1998–2019