Oracle has been forced to push out an emergency patch after the second critical vulnerability in Oracle WebLogic Server was identified in less than eight weeks. The Oracle vulnerability – rated a drop-everything-and-patch-it-now 9.8 on the CVSS risk matrix – is remotely exploitable without authentication, i.e., may (and has been) exploited over a network without the need for a username and password.
Oracle WebLogic Server is an application server for building and deploying enterprise Java EE applications: over 40,000 web-accessible instances are at risk.
Oracle’s security alert for the vulnerability, CVE-2019-2729, describes it as a deserialisation vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. Oracle said: “Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
Oracle Vulnerability: Affected Products
Oracle WebLogic server versions 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0 are affected, Oracle said, issuing a patch.
The issue has been reported by 11 security researchers, primarily in China and was first reported by the KnownSec 404 Team, which had also identified April’s WebLogic vulnerability and said they had observed it being exploited in the wild.
(The KnownSec team identified this week’s zero day as “based on and bypassing” that initial patch. Oracle says this is incorrect: it is a “distinct vulnerability”.)
April’s vulnerability was also a deserialisation vulnerability.
(Serialisation is the process of turning an object into a data format that can be restored later. Deserialisation is the reverse of that process. A security exploit against a vulnerable serialisation process typically involves an attacker injecting malicious data into the serialised data that activates as malicious code on deserialisation).
April’s vulnerability rapidly led to attacks, including the delivery of previously unseen ransomware variant dubbed “Sodinokibi”, Cisco Talos security researchers said. (That ransomware is currently being used in a new spam campaign pretending to be from Booking.com).
They added in an analysis last month: “Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device.”
“In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses”.