CVE-2019-2729 : Oracle Releases Out-of-Band Patch for WebLogic Server Deserialization Vulnerability
Out-of-band security advisory addresses second Oracle WebLogic Server vulnerability in two months.
Contexte
On June 18, Oracle published an out-of-band security advisory to address a critical vulnerability in Oracle WebLogic Server.
Analyse
CVE-2019-2729 is a deserialization vulnerability in the XMLDecoder in Oracle WebLogic Server Web Services. An unauthenticated attacker could remotely exploit this vulnerability to gain remote code execution (RCE) on vulnerable systems. This vulnerability follows another deserialization vulnerability, CVE-2019-2725, that was reported as a zero-day on April 17, 2019 and patched on April 26, 2019.
On June 15, researchers from the KnownSec 404 Team published a blog stating they were able to bypass the patch that addressed CVE-2019-2725 in April. The researchers said they found “a new oracle webLogic[sic] deserialization RCE 0day vulnerability” that “is being actively used in the wild” and they had contacted Oracle to inform them of these new developments.
Oracle said in a blog post that,while both CVE-2019-2725 and CVE-2019-2729 are deserialization flaws, CVE-2019-2729 is “a distinct vulnerability.” Following the advisory from Oracle, KnownSec have since updated the June 15 blog to confirm that CVE-2019-2729 addresses the vulnerability they discovered in the wild.
Attackers moved quickly to incorporate CVE-2019-2725 into campaigns for the Sodinokibi ransomware and GandCrab ransomware and XMRig cryptocurrency miner. Nearly two months later, it continues to be utilized by attackers in another Monero cryptocurrency mining campaign and as part of a new variant of Mirai, the internet-of-things (IoT) malware’s tool kit of exploits. We believe that once proofs-of-concept (PoCs) are available for CVE-2019-2729 it will become another favorite among attackers.
Démonstration de faisabilité (PoC)
At the time this blog was published, there was no known PoC code available for CVE-2019-2729. However, the KnownSec 404 Team reports seeing exploitation of this vulnerability in the wild. Tenable anticipates updated PoCs will become available soon.
Solution
Oracle has released fixes for Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0. At the time this blog was published, fixes for WebLogic Server 12.2.1.3.0 had not been released.
If patching is not currently feasible, previous mitigations for CVE-2019-2725 are applicable to CVE-2019-2729. These workarounds are:
- Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service
- Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server
Identification des systèmes affectés
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
En savoir plus
Rejoignez l'équipe SRT de Tenable sur Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.
Articles connexes
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Cybersecurity Snapshot: NSA Picks Top Cloud Security Practices, while CNCF Looks at How Cloud Native Can Facilitate AI Adoption
March 22, 2024Check out the NSA’s 10 key best practices for securing cloud environments. Plus, learn how cloud native computing could help streamline your AI deployments. Meanwhile, don’t miss the latest about cyberthreats against water treatment plants and critical infrastructure in general. And much more!
How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform: The Importance of Contextual Prioritization
March 11, 2024Discover how contextual prioritization of exposure is revolutionizing OT/IoT security, enabling organizations to shift from reactive to proactive breach prevention.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
- Internet of Things
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning