CVE-2019-2729: Oracle Releases Out-of-Band Patch for WebLogic Server Deserialization Vulnerability
Out-of-band security advisory addresses second Oracle WebLogic Server vulnerability in two months.
背景
On June 18, Oracle published an out-of-band security advisory to address a critical vulnerability in Oracle WebLogic Server.
分析
CVE-2019-2729 is a deserialization vulnerability in the XMLDecoder in Oracle WebLogic Server Web Services. An unauthenticated attacker could remotely exploit this vulnerability to gain remote code execution (RCE) on vulnerable systems. This vulnerability follows another deserialization vulnerability, CVE-2019-2725, that was reported as a zero-day on April 17, 2019 and patched on April 26, 2019.
On June 15, researchers from the KnownSec 404 Team published a blog stating they were able to bypass the patch that addressed CVE-2019-2725 in April. The researchers said they found “a new oracle webLogic[sic] deserialization RCE 0day vulnerability” that “is being actively used in the wild” and they had contacted Oracle to inform them of these new developments.
Oracle said in a blog post that,while both CVE-2019-2725 and CVE-2019-2729 are deserialization flaws, CVE-2019-2729 is “a distinct vulnerability.” Following the advisory from Oracle, KnownSec have since updated the June 15 blog to confirm that CVE-2019-2729 addresses the vulnerability they discovered in the wild.
Attackers moved quickly to incorporate CVE-2019-2725 into campaigns for the Sodinokibi ransomware and GandCrab ransomware and XMRig cryptocurrency miner. Nearly two months later, it continues to be utilized by attackers in another Monero cryptocurrency mining campaign and as part of a new variant of Mirai, the internet-of-things (IoT) malware’s tool kit of exploits. We believe that once proofs-of-concept (PoCs) are available for CVE-2019-2729 it will become another favorite among attackers.
概念验证
At the time this blog was published, there was no known PoC code available for CVE-2019-2729. However, the KnownSec 404 Team reports seeing exploitation of this vulnerability in the wild. Tenable anticipates updated PoCs will become available soon.
解决方案
Oracle has released fixes for Oracle WebLogic Server versions 10.3.6.0.0 and 12.1.3.0.0. At the time this blog was published, fixes for WebLogic Server 12.2.1.3.0 had not been released.
If patching is not currently feasible, previous mitigations for CVE-2019-2725 are applicable to CVE-2019-2729. These workarounds are:
- Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service
- Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server
识别受影响的系统
A list of Tenable plugins to identify this vulnerability will appear here as they’re released.
Get more information
加入 Tenable Community 中的 Tenable 安全响应团队
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io.
相关文章
Cybersecurity Snapshot: U.S. Gov’t Unpacks AI Threat to Banks, as NCSC Urges OT Teams to Protect Cloud SCADA Systems
March 29, 2024Check out new guidance for banks on combating AI-boosted fraud. Plus, how to cut cyber risk when migrating SCADA systems to the cloud. Meanwhile, why CISA is fed up with SQLi flaws. And best practices to prevent and respond to DDoS attacks. And much more!
Cybersecurity Snapshot: NSA Picks Top Cloud Security Practices, while CNCF Looks at How Cloud Native Can Facilitate AI Adoption
March 22, 2024Check out the NSA’s 10 key best practices for securing cloud environments. Plus, learn how cloud native computing could help streamline your AI deployments. Meanwhile, don’t miss the latest about cyberthreats against water treatment plants and critical infrastructure in general. And much more!
How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform: The Importance of Contextual Prioritization
March 11, 2024Discover how contextual prioritization of exposure is revolutionizing OT/IoT security, enabling organizations to shift from reactive to proactive breach prevention.
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
Oracle April 2024 Critical Patch Update Addresses 239 CVEs
April 17, 2024Oracle addresses 239 CVEs in its second quarterly update of 2024 with 441 patches, including 38 critical updates.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
- Internet of Things
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning