New Oracle WebLogic Zero-day Vulnerability Allows Remote Attacks Without Authentication

Oracle published an out-of-band security alert advisory on CVE-2019-2729, a zero-day deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. The abuse of CVE-2019-2729, a remote code execution (RCE) vulnerability that is related to another deserialization flaw (CVE-2019-2725) discovered in April, could allow remote attackers to execute arbitrary code on targeted servers.

Customers have been advised to immediately apply the required patches because of the severity of CVE-2019-2729, which has a CVSS score of 9.8 out of 10. KnownSec 404 Team, the group that first reported about the vulnerability, said that attackers are already trying to exploit it in the wild.

Authentication not required to exploit CVE-2019-2729

CVE-2019-2729 impacts Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. The vulnerability can be easily exploited by an unauthenticated attacker with network access via HTTP. In essence, the attackers don’t need credentials to exploit the vulnerability over a network. If done successfully, the exploitation of the vulnerability can result in the takeover of the targeted Oracle WebLogic servers.

Similarities with CVE-2019-2725

The previously patched CVE-2019-2725 is similar with CVE-2019-2729 in base score and the way that it can be exploited without the need for user login credentials. CVE-2019-2725 was also exploited by attackers as a zero-day vulnerability to install cryptocurrency-mining malware.

Trend Micro researchers reported on such activity, which involves the abuse of CVE-2019-2725 to install a Monero-mining malware variant on affected systems. Interestingly, the attackers behind the scheme used certificate files to hide the malware variant’s malicious code. This obfuscation tactic was used in an attempt to evade detection.

Security recommendations and Trend Micro solutions

Organizations should apply the updates provided in Oracle’s advisory to defend against attacks exploiting CVE-2019-2729, especially now that it’s reportedly under active exploitation.

Organizations can take advantage of the Trend Micro™ Deep Discovery™ solution, which can provide detection, in-depth analysis, and proactive response to attacks that use exploits and other similar threats. It uses specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect threats even without any engine or pattern update. In addition, organizations can monitor all ports and network protocols for advanced threats with the Trend Micro Deep Discovery Inspector network appliance. Deep Discovery Inspector protects customers from these threats via this DDI Rule:
  • 2903: Possible Oracle Weblogic Remote Command Execution Exploit - HTTP (Request)

Technologies like virtual patching and application control can help organizations avoid the burden of ad hoc patching. An audit tool can also help organizations include the important patches in a scheduled patch cycle to help ease the burden of planning and deployment.

The Trend Micro™ Deep Security™ solution provides virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications. Deep Security™ and Vulnerability Protection protect systems and users via the following Deep Packet Inspection (DPI) rule:

  • 1009816 - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2729)
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.