Executive Summary: A new critical vulnerability has been discovered that affects several versions of the Oracle WebLogic server. The bug has classed as critical-level security risk and has a CVSS Base Score of 9.8. The vulnerability has already been exploited in the wild by several unknown hacker groups.
This security update highlights a deserialization vulnerability in the XMLDecoder within the Oracle WebLogic server. This new exploitation technique allows attackers to remotely run arbitrary commands on the affected servers by simply sending a specially crafted HTTP request. This remote code execution (RCE) flaw does not require any form of authentication/remote access credentials in order to be leveraged.
The new critical flaw is related to the previous 0-day vulnerability (CVE-2019-2725) discovered in April 2019 which has been patched. This previous vulnerability has been exploited in several attack variations such as; “Sodinokibi” and “GraandCrab ransomware as well as the “XMRIG” cryptocurrency mining malware attacks. Both critical vulnerabilities rely on the deserialization process in XMLDecoder.
Detect: Any Oracle WebLogic servers which have not already been updated will be affected by this vulnerability. ITC customers who are subscribed to the ITC VI service can request a scan to identify affected operating.
Affected Products: Oracle WebLogic Server, versions; 10.3.6.0.0, 22.214.171.124.0, 126.96.36.199.0
Prevent: Due to the severity of this vulnerability, ITC strongly recommends that customers apply the updates provided by the Oracle Security Alert Advisory – CVE-2019-2729.
React: Oracle have released an emergency software update and patches for CVE-2019-2729. It is advised that these updates are applied and installed as soon as possible. If patching is not currently possible, the temporary mitigations for CVE-2019-2725 are applicable:
- Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service
- Restrict or disable access to the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server