Oracle patches another actively-exploited WebLogic zero-day

New wave of attacks against Oracle WebLogic servers using a brand new zero-day detected over the weekend.

Oracle WebLogic

Oracle released an out-of-band security update to fix a vulnerability in WebLogic servers that was being actively exploited in the real world to hijack users' systems.

Attacks using this vulnerability were first reported by Chinese security firm Knownsec 404 Team on June 15, last Saturday.

The initial report from Knownsec claimed the attacks exploited a brand new WebLogic bug to bypass patches for a previous zero-day tracked as CVE-2019-2725 -- which was also exploited in the wild for days in April before Oracle released an emergency security patch for that one as well.

But in a blog post on Tuesday, John Heimann, Oracle's Security Program Vice-President, said this was an incorrect assessment, and that the new attacks are exploiting a separate vulnerability that had nothing to do with the zero-day from April.

A 9.8 out of 10 severity score

The new zero-day received the CVE-2019-2729 identifier, and a severity score of 9.8 out of a maximum of 10 (score identical with the April zero-day).

Both zero-days are somewhat similar, albeit the problematic code resides in different parts of the WebLogic code. Both zero-days are a bug in the data deserialization process that happens inside WebLogic servers, when content is reverted from binary form back into its original form. Both zero-days allow attackers to exploit this process and run code on vulnerable systems.

The attacker doesn't need to know a remote server's credentials to run the exploit, which means attacks can be automated and launched against any Internet-accessible WebLogic instance, a number that currently stands at nearly 42,000.

Knownsec said the current CVE-2019-2729 attacks are only targeting JDK 1.6.x compatible systems, which reduces the number of targeted servers.

Oracle WebLogic has been a popular target for hackers

Oracle WebLogic exploits are some of the most popular exploits today [1, 2, 3, 4, 5, 6, 7, 8]. CVE-2019-2729 will almost certainly join CVE-2019-2725, CVE-2018-2893, CVE-2018-2628, and CVE-2017-10271 as one of the most exploited WebLogic vulnerabilities in the wild.

For the majority of these attacks, hackers are targeting corporate networks -- where most WebLogic servers are usually installed -- to plant crypto-mining malware for their financial benefit.

Oracle listed WebLogic versions 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0 as impacted by the bug. The company released yesterday security fixes for affected versions.

More vulnerability reports: