Oracle said that a critical remote code execution flaw in its WebLogic Server is being actively exploited in the wild.
The remote code execution flaw (CVE-2019-2729) impacts a number of versions of Oracle’s WebLogic Server, used for building and deploying enterprise applications. The vulnerability has a CVSS score of 9.8 out of 10. Part of its seriousness is because it is remotely exploitable without authentication.
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” according to Oracle’s Tuesday security advisory.
The issue stems from a deserialization vulnerability in the XMLDecoder in Oracle’s WebLogic Server web services. The XMLDecoder class is used to read XML documents created using the XMLEncoder according to Oracle.
Impacted are Oracle WebLogic Server versions 10.3.6.0.0, 184.108.40.206.0 and 220.127.116.11.0.
Researchers with KnownSec 404 said the vulnerability bypasses a fix for an infamous Oracle WebLogic Server deserialization flaw (CVE-2019-2725), which was disclosed earlier this year and patched on April 26.
“A new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725,” researchers said in an analysis over the weekend.
However, John Heimann, vice president security program management shut down researchers’ claims that the newly-disclosed flaw is related to CVE-2019–2725, saying the two are unrelated: “Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability,” he said in a Tuesday security alert.
Neither Oracle nor KnownSec 404 have responded to requests for comment regarding the two contradicting reports.
Regardless, researchers with KnownSec 404, who are credited (among others) for discovering the flaw, said that they have seen the vulnerability being actively exploited in the wild, and warned users to update.
— Seebug (@seebug_team) June 15, 2019
Critical flaws in Oracle WebLogic Servers continue to be a thorn in the security community’s side.
Researchers said that attackers have been exploiting the older deserialization flaw, CVE-2019–2725, since April 21 in malicious campaigns revolving around the “Sodinokibi” ransomware, a new variant of the Muhstik botnet, and GandCrab ransomware.
The sheer number of vulnerable devices and exploit attempts around this flaw show how serious it is: A scan in May showed more than 41,000 publicly accessible WebLogic instances in the wild, while Palo Alto Networks said that they detected over 600 exploitation attempts targeting CVE-2019-2725.
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.