View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 19, 2019updated 08 Jul 2022 11:23am

This Critical Oracle Vulnerability is Being Exploited in the Wild

Another remotely executable WebLogic 0day...

By CBR Staff Writer

Oracle has been forced to push out an emergency patch after the second critical vulnerability in Oracle WebLogic Server was identified in less than eight weeks. The Oracle vulnerability – rated a drop-everything-and-patch-it-now 9.8 on the CVSS risk matrix – is remotely exploitable without authentication, i.e., may (and has been)  exploited over a network without the need for a username and password.

Oracle WebLogic Server is an application server for building and deploying enterprise Java EE applications: over 40,000 web-accessible instances are at risk.

Oracle’s security alert for the vulnerability, CVE-2019-2729, describes it as a deserialisation vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. Oracle said: “Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”

Oracle Vulnerability: Affected Products 

Oracle WebLogic server versions,, and are affected, Oracle said, issuing a patch.

The issue has been reported by 11 security researchers, primarily in China and was first reported by the KnownSec 404 Team, which had also identified April’s WebLogic vulnerability and said they had observed it being exploited in the wild.

(The KnownSec team identified this week’s zero day as “based on and bypassing” that initial patch. Oracle says this is incorrect: it is a “distinct vulnerability”.)

April’s vulnerability was also a deserialisation vulnerability.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

(Serialisation is the process of turning an object into a data format that can be restored later. Deserialisation is the reverse of that process. A security exploit against a vulnerable serialisation process typically involves an attacker injecting malicious data into the serialised data that activates as malicious code on deserialisation).

April’s vulnerability rapidly led to attacks, including the delivery of previously unseen ransomware variant dubbed “Sodinokibi”, Cisco Talos security researchers said. (That ransomware is currently being used in a new spam campaign pretending to be from

They added in an analysis last month: “Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device.”

“In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses”.

Read this: Critical Vulnerability in Oracle Server Drawing Attack from New Ransomware

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.