image credit: blogs.oracle.com
Oracle has released an out-of-band security update to address a critical vulnerability in Oracle WebLogic Server. A deserialization flaw allows remote code execution and is tracked with CVE-2019-2729. This vulnerability is rated critical and is found to be exploited in-the-wild.
The vulnerability exists due to a deserialization flaw in XMLDecoder in Oracle WebLogic Server Web Services and is triggered by wls9_async and wls-wsat components in Oracle WebLogic allowing unauthenticated remote code execution. This vulnerability was published by researchers from the KnownSec 404 Team claiming that they were able to bypass the patch that was issued in April (CVE-2019-2725). As per the researchers,
"a new Oracle WebLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild. We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725"
But, Oracle has clarified that although both CVE-2019-2725 and CVE-2019-2729 are deserialization issues, CVE-2019-2729 is a distinct vulnerability from CVE-2019-2725.
At the time of publishing this blog, no known PoC code was available for CVE-2019-2729. However, the KnownSec 404 Team reports seeing the exploitation of this vulnerability in the wild. They also posted an image of successful RCE exploitation achieved by exploiting this vulnerability.
image credit: medium.com
The vulnerability affects these versions of the application:
- Oracle WebLogic Server 10.3.6.0.0
- Oracle WebLogic Server 22.214.171.124.0
- Oracle WebLogic Server 126.96.36.199.0
An attacker can run arbitrary code in the context of the affected application.
The Oracle WebLogic patches are available only for customers. Please be advised to download the patch from Oracle portal and install. SanerNow’s software deployment capability can be used to install executable/scripts.
Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible
Two mitigations are available:
- If components wls9_async_response and wls-wsat are not applied in the WLS cluster, find and delete wls9_async_response.war, wls-wsat.war and restart the WebLogic service.
- Control URL access for the /_async/* and /wls-wsat/* paths by access policy control.