Oracle published an out-of-band security alert advisory on CVE-2019-2729, a zero-day deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. The abuse of CVE-2019-2729, a remote code execution (RCE) vulnerability that is related to another deserialization flaw (CVE-2019-2725) discovered in April, could allow remote attackers to execute arbitrary code on targeted servers.
Customers have been advised to immediately apply the required patches because of the severity of CVE-2019-2729, which has a CVSS score of 9.8 out of 10. KnownSec 404 Team, the group that first reported about the vulnerability, said that attackers are already trying to exploit it in the wild.
Authentication not required to exploit CVE-2019-2729
CVE-2019-2729 impacts Oracle WebLogic Server versions 10.3.6.0.0, 22.214.171.124.0, and 126.96.36.199.0. The vulnerability can be easily exploited by an unauthenticated attacker with network access via HTTP. In essence, the attackers don’t need credentials to exploit the vulnerability over a network. If done successfully, the exploitation of the vulnerability can result in the takeover of the targeted Oracle WebLogic servers.
Similarities with CVE-2019-2725
The previously patched CVE-2019-2725 is similar with CVE-2019-2729 in base score and the way that it can be exploited without the need for user login credentials. CVE-2019-2725 was also exploited by attackers as a zero-day vulnerability to install cryptocurrency-mining malware.
Trend Micro researchers reported on such activity, which involves the abuse of CVE-2019-2725 to install a Monero-mining malware variant on affected systems. Interestingly, the attackers behind the scheme used certificate files to hide the malware variant’s malicious code. This obfuscation tactic was used in an attempt to evade detection.
Security recommendations and Trend Micro solutions
Organizations should apply the updates provided in Oracle’s advisory to defend against attacks exploiting CVE-2019-2729, especially now that it’s reportedly under active exploitation.
Organizations can take advantage of the Trend Micro™ Deep Discovery™ solution, which can provide detection, in-depth analysis, and proactive response to attacks that use exploits and other similar threats. It uses specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect threats even without any engine or pattern update. In addition, organizations can monitor all ports and network protocols for advanced threats with the Trend Micro Deep Discovery Inspector network appliance. Deep Discovery Inspector protects customers from these threats via this DDI Rule:
Technologies like virtual patching and application control can help organizations avoid the burden of ad hoc patching. An audit tool can also help organizations include the important patches in a scheduled patch cycle to help ease the burden of planning and deployment.