CVE-2019-2729: Oracle Releases Out-of-Band Patch for WebLogic Server Deserialization Vulnerability
Out-of-band security advisory addresses second Oracle WebLogic Server vulnerability in two months.
Background
On June 18, Oracle published an out-of-band security advisory to address a critical vulnerability in Oracle WebLogic Server.
Analysis
CVE-2019-2729 is a deserialization vulnerability in the XMLDecoder in Oracle WebLogic Server Web Services. An unauthenticated attacker could remotely exploit this vulnerability to gain remote code execution (RCE) on vulnerable systems. This vulnerability follows another deserialization vulnerability, CVE-2019-2725, that was reported as a zero-day on April 17, 2019 and patched on April 26, 2019.
On June 15, researchers from the KnownSec 404 Team published a blog stating they were able to bypass the patch that addressed CVE-2019-2725 in April. The researchers said they found “a new oracle webLogic[sic] deserialization RCE 0day vulnerability” that “is being actively used in the wild” and they had contacted Oracle to inform them of these new developments.
Oracle said in a blog post that,while both CVE-2019-2725 and CVE-2019-2729 are deserialization flaws, CVE-2019-2729 is “a distinct vulnerability.” Following the advisory from Oracle, KnownSec have since updated the June 15 blog to confirm that CVE-2019-2729 addresses the vulnerability they discovered in the wild.
Attackers moved quickly to incorporate CVE-2019-2725 into campaigns for the Sodinokibi ransomware and GandCrab ransomware and XMRig cryptocurrency miner. Nearly two months later, it continues to be utilized by attackers in another Monero cryptocurrency mining campaign and as part of a new variant of Mirai, the internet-of-things (IoT) malware’s tool kit of exploits. We believe that once proofs-of-concept (PoCs) are available for CVE-2019-2729 it will become another favorite among attackers.
Proof of concept
At the time this blog was published, there was no known PoC code available for CVE-2019-2729. However, the KnownSec 404 Team reports seeing exploitation of this vulnerability in the wild. Tenable anticipates updated PoCs will become available soon.
Solution
Oracle has released fixes for Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0. At the time this blog was published, fixes for WebLogic Server 12.2.1.3.0 had not been released.
If patching is not currently feasible, previous mitigations for CVE-2019-2725 are applicable to CVE-2019-2729. These workarounds are:
- Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service
- Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server
Identifying affected systems
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.
Related Articles
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Cybersecurity Snapshot: NSA Picks Top Cloud Security Practices, while CNCF Looks at How Cloud Native Can Facilitate AI Adoption
March 22, 2024Check out the NSA’s 10 key best practices for securing cloud environments. Plus, learn how cloud native computing could help streamline your AI deployments. Meanwhile, don’t miss the latest about cyberthreats against water treatment plants and critical infrastructure in general. And much more!
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Internet of Things
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning