But in a blog post on Tuesday, John Heimann, Oracle's Security Program Vice-President, said this was an incorrect assessment, and that the new attacks are exploiting a separate vulnerability that had nothing to do with the zero-day from April.
A 9.8 out of 10 severity score
The new zero-day received the CVE-2019-2729 identifier, and a severity score of 9.8 out of a maximum of 10 (score identical with the April zero-day).
Both zero-days are somewhat similar, albeit the problematic code resides in different parts of the WebLogic code. Both zero-days are a bug in the data deserialization process that happens inside WebLogic servers, when content is reverted from binary form back into its original form. Both zero-days allow attackers to exploit this process and run code on vulnerable systems.
The attacker doesn't need to know a remote server's credentials to run the exploit, which means attacks can be automated and launched against any Internet-accessible WebLogic instance, a number that currently stands at nearly 42,000.
Knownsec said the current CVE-2019-2729 attacks are only targeting JDK 1.6.x compatible systems, which reduces the number of targeted servers.
Oracle WebLogic has been a popular target for hackers
Oracle WebLogic exploits are some of the most popular exploits today [1, 2, 3, 4, 5, 6, 7, 8]. CVE-2019-2729 will almost certainly join CVE-2019-2725, CVE-2018-2893, CVE-2018-2628, and CVE-2017-10271 as one of the most exploited WebLogic vulnerabilities in the wild.
For the majority of these attacks, hackers are targeting corporate networks -- where most WebLogic servers are usually installed -- to plant crypto-mining malware for their financial benefit.
Oracle listed WebLogic versions 10.3.6.0.0, 184.108.40.206.0, and 220.127.116.11.0 as impacted by the bug. The company released yesterday security fixes for affected versions.