On Tuesday Oracle published an out-of-band security update that had a patch to a critical code-execution vulnerability in its WebLogic server. “This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,'' the Oracle update warned.
The vulnerability tracked as CVE-2019-2729, has received a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default—wls9_async_response and wls-wsat.war.
The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.
“This isn't the first, or even second, deserialization attack that has been used to target these services. The wls-wsat component was successfully exploited in a similar fashion in 2017, and KnownSec404 reported another one in April. The 2017 vulnerability was largely used to install bitcoin miners; April's vulnerability was exploited in cryptojacking and ransomware campaigns”, Arstechnica reported.
John Heimann, Oracle's Security Program Vice-President, said, this was an incorrect assessment, and that the new attacks are exploiting a separate vulnerability that had nothing to do with the zero-day from April.
If patching is not possible right away, the researchers propose two mitigation solutions:
According to Johannes Ullrich of the SANS Technology Institute, Oracle has been patching each of these series of deserialization vulnerabilities by individually blacklisting the deserialization of very specific classes as exploits are published. “Oracle has been using a "blacklist" approach in patching these deserialization vulnerabilities, blocking the deserialization of very specific classes, which has led to similar bypass/patch cat and mouse games in the past”, Ullrich mentions.
To know more about this in detail, head over to Oracle’s blog post.
Oracle does “organizational restructuring” by laying off 100s of employees
IBM, Oracle under the scanner again for questionable hiring and firing policies
RedHat takes over stewardship for the OpenJDK 8 and OpenJDK 11 projects from Oracle