CVE-2019-2729:Oracle Releases Out-of-Band Patch for WebLogic Server Deserialization Vulnerability
Out-of-band security advisory addresses second Oracle WebLogic Server vulnerability in two months.
背景說明
On June 18, Oracle published an out-of-band security advisory to address a critical vulnerability in Oracle WebLogic Server.
分析
CVE-2019-2729 is a deserialization vulnerability in the XMLDecoder in Oracle WebLogic Server Web Services. An unauthenticated attacker could remotely exploit this vulnerability to gain remote code execution (RCE) on vulnerable systems. This vulnerability follows another deserialization vulnerability, CVE-2019-2725, that was reported as a zero-day on April 17, 2019 and patched on April 26, 2019.
On June 15, researchers from the KnownSec 404 Team published a blog stating they were able to bypass the patch that addressed CVE-2019-2725 in April. The researchers said they found “a new oracle webLogic[sic] deserialization RCE 0day vulnerability” that “is being actively used in the wild” and they had contacted Oracle to inform them of these new developments.
Oracle said in a blog post that,while both CVE-2019-2725 and CVE-2019-2729 are deserialization flaws, CVE-2019-2729 is “a distinct vulnerability.” Following the advisory from Oracle, KnownSec have since updated the June 15 blog to confirm that CVE-2019-2729 addresses the vulnerability they discovered in the wild.
Attackers moved quickly to incorporate CVE-2019-2725 into campaigns for the Sodinokibi ransomware and GandCrab ransomware and XMRig cryptocurrency miner. Nearly two months later, it continues to be utilized by attackers in another Monero cryptocurrency mining campaign and as part of a new variant of Mirai, the internet-of-things (IoT) malware’s tool kit of exploits. We believe that once proofs-of-concept (PoCs) are available for CVE-2019-2729 it will become another favorite among attackers.
概念驗證
At the time this blog was published, there was no known PoC code available for CVE-2019-2729. However, the KnownSec 404 Team reports seeing exploitation of this vulnerability in the wild. Tenable anticipates updated PoCs will become available soon.
解決方法
Oracle has released fixes for Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0. At the time this blog was published, fixes for WebLogic Server 12.2.1.3.0 had not been released.
If patching is not currently feasible, previous mitigations for CVE-2019-2725 are applicable to CVE-2019-2729. These workarounds are:
- Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service
- Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server
找出受影響的系統
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
加入 Tenable Community 的 Tenable 安全回應團隊。
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.
相關文章
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Cybersecurity Snapshot: NSA Picks Top Cloud Security Practices, while CNCF Looks at How Cloud Native Can Facilitate AI Adoption
March 22, 2024Check out the NSA’s 10 key best practices for securing cloud environments. Plus, learn how cloud native computing could help streamline your AI deployments. Meanwhile, don’t miss the latest about cyberthreats against water treatment plants and critical infrastructure in general. And much more!
Microsoft’s June 2024 Patch Tuesday Addresses 49 CVEs
June 11, 2024Microsoft addresses 49 CVEs in its June 2024 Patch Tuesday release with one rated as critical and no zero-day or publicly disclosed vulnerabilities. Our counts omitted two CVEs that were not issued by Microsoft, which include CVE-2023-50868 (issued by MITRE) and CVE-2024-29187 (issued by GitHub).
Cloud Workload Protection: The Key to Decreasing Cloud Security Risks
June 11, 2024More than 80% of all breaches involve data stored in the cloud, and security teams that don’t use cloud workload protection (CWP) may never get ahead of attackers who want to access as much data as possible with the least effort. A single cloud breach is often the most straightforward way into these sensitive environments. On average, it costs nearly $5 million to respond and recover. So, why are so many organizations still using traditional on-prem security that isn't designed for the dynamic cloud?
CVE-2024-4577: Proof of Concept Available for PHP-CGI Argument Injection Vulnerability
June 7, 2024Researchers disclose a critical severity vulnerability affecting PHP installations and provide proof-of-concept exploit code, which could lead to remote code execution.
- Internet of Things
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning