Oracle releases emergency patch or WebLogic, exploits in the wild

Oracle building
Oracle

Oracle has disclosed a bug in its WebLogic Server software that is both highly critical and already under attack.

Oracle WebLogic software is turning out to be a favorite target for cybercriminals looking to exploit server hardware for cryptocurrency mining. In May a deserialisation flaw affecting WebLogic was used to spread ransomware, prompting an alert from Oracle to urgently apply its updates.

As with the May patch, the latest security update was reported by researchers at "Known Sec 404" and once again is a deserialisation flaw.

The new Oracle security alert for a remote code execution flaw is tagged as CVE-2019-2729, and according to Oracle is a “a deserialisation vulnerability via XMLDecoder in Oracle WebLogic Server Web Services.”

“This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” Oracle notes in its advisory, which has a CVSS base score of 9.8 out of a possible 10.

Oracle emphasised in a blogpost that the newly disclosed bug is “distinct” from CVE-2019-2725 reported in April, so admins will need to apply the new patch, despite the two bugs' similarities.

US CERT, now called the Cybersecurity and Infrastructure Security Agency (CISA), is also urging admins to apply Oracle’s update because the bug is being actively exploited already.

“Oracle has released a security alert to address a vulnerability in WebLogic. A remote attacker could exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild,” CISA said.

Oracle similarly urges immediate action. “Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the database giant said.

Security firm Tenable has the background to this particular issue. KnownSec 404 said in mid-June that they were able to bypass the patch Oracle addressed or CVE-2019-2725. The researchers later also claimed that a separate undisclosed bug in WebLogic was being exploited in the wild.

The new bug is likely to be exploited by cybercriminals, given its similarity to the April bug.

“Attackers moved quickly to incorporate CVE-2019-2725 into campaigns for the Sodinokibi ransomware and GandCrab ransomware and XMRig cryptocurrency miner," wrote Satnam Narang from Tenable Security.

“Nearly two months later, it continues to be utilized by attackers in another Monero cryptocurrency mining campaign and as part of a new variant of Mirai, the internet-of-things (IoT) malware’s tool kit of exploits. We believe that once proofs-of-concept (PoCs) are available for CVE-2019-2729 it will become another favourite among attackers.”

Affected versions of Oracle WebLogic Server include 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, according to Oracle.

The size of the credit list for reporting CVE-2019-2729 suggests this bug isn’t exactly a secret among security researchers.

Oracle attributes the reporting of the vulnerability to 11 security researcher identities that mostly appear to have Chinese names.

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies