Oracle released the quarterly critical patch updates in April 2019. And in less than a week, a zero-day was found exploiting in-the-wild. The vulnerability exists in Oracle Weblogic Server which has been targeted repeatedly due to its popularity and access to huge business sensitive information.
What is the issue?
A remote code execution vulnerability exists in Oracle Weblogic Sever. This vulnerability has been identified as CVE-2019-2725. This vulnerability was reported by KnownSec 404 Team. And, SANS ISC InfoSec Forums observed active attacks trying to install crypto coin miners.
Processing of untrusted input is one of the major techniques through which attackers find their way inside systems. The issue here is that of insecure deserialization. The flaw exists in the wls9_async_response package. The components wls9_async and wls-wsat trigger the vulnerability. An attacker can input a serialized maliciously crafted file. Upon processing, this file is deserialised and can execute the malicious content inside it with elevated privileges.
image credit: www.waratek.com
The vulnerability affects these versions of the application:
- Weblogic 10.3.6.0.0
- WebLogic 220.127.116.11.0
A remote attacker can execute arbitrary code on the target machine by giving a specially crafted file as input.
Oracle has released an out-of-band security update to deal with the vulnerability. Also, Oracle advises that the patches be applied at the earliest due to the severity of the issue.