another day, another CVE —

Oracle issues emergency update to patch actively exploited WebLogic flaw

Oracle's WebLogic Java appserver hit with the third in a series of exploited RCEs.

Security team KnownSec404 proof-of-concept image, showing an instance of Windows Calculator being run on the remote WebLogic server.
Enlarge / Security team KnownSec404 proof-of-concept image, showing an instance of Windows Calculator being run on the remote WebLogic server.

Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild.

The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war.

The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.

This isn't the first, or even second, deserialization attack that has been used to target these services. The wls-wsat component was successfully exploited in a similar fashion in 2017, and KnownSec404 reported another one in April. The 2017 vulnerability was largely used to install bitcoin miners; April's vulnerability was exploited in cryptojacking and ransomware campaigns. Oracle's current out-of-band patch and advisory notice has not officially acknowledged the active exploitation of CVE-2019-2729, but it does mark the vulnerability as high risk and advises customers to apply the out-of-band patch as soon as possible.

According to Johannes Ullrich of the SANS Technology Institute, Oracle has been patching each of these series of deserialization vulnerabilities by individually blacklisting the deserialization of very specific classes as exploits are published. This implies the likelihood of an ongoing cat-and-mouse game in which attackers who understand the service well continue to find and exploit a pool of available vulnerabilities as needed and sparingly.

KnownSec404 recommends mitigating these vulnerabilities ahead of the patch by either disabling the affected Asynchronous Request-Response and Web Service Atomic Transactions applications entirely, or by controlling access to them by network policy. Considering the frequency and active exploitation of vulnerabilities on these services, it's probably an excellent idea to at least limit access to them as narrowly as possible. User posts on StackOverflow and Oracle's support site make it clear that WebLogic users are disabling the two affected apps entirely, making sweeping statements to the effect of "you don't need them anyway." But without fully understanding the scope and utility of components installed by default, administrators should be very careful and extensively test any such modifications.

Channel Ars Technica