New Critical Oracle WebLogic Flaw Under Active Attack
Oracle has released an out-of-band emergency software update to patch a newly discovered critical vulnerability in the WebLogic Server.
According to Oracle, the vulnerability which can be identified as CVE-2019-2729 and has a CVSS score of 9.8 out of 10 is already being exploited in the wild by an unnamed group of attackers.
Oracle WebLogic is a Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud, which is popular across both, cloud environment and conventional environments.
The reported vulnerability is a deserialization issue via XMLDecoder in Oracle WebLogic Server Web Services that could allow unauthorized remote attackers to execute arbitrary code on the targeted servers and take control over them.
“This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” the advisory said.
In a separate note, the company also revealed that the flaw is related to a previously known deserialization vulnerability (CVE-2019-2725) in Oracle WebLogic Server that it patched in April this year.
The previously patched RCE flaw in Oracle WebLogic was also exploited by attackers as a zero-day i.e., to distribute Sodinokibi ransomware and cryptocurrency mining malware.
Reported independently by a separate group of individuals and organizations, the new vulnerability affects Oracle WebLogic Server versions 10.3.6.0.0, 220.127.116.11.0, and 18.104.22.168.0
Due to the severity of this vulnerability, the company has recommended affected users and companies to install available security updates as soon as possible.