Oracle WebLogic vulnerability being exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

4:00pm, 20 June 2019

TLP Rating: Clear

Oracle WebLogic vulnerability being exploited

CERT NZ is aware of a critical vulnerability in the Oracle WebLogic Server being actively exploited. The vulnerability, CVE-2019-2729, is remotely exploitable without authentication.

Oracle has released a patch to mitigate this vulnerability. There are conflicting reports about the patch’s effectiveness, so CERT NZ also recommends patching as well as implementing further defence-in-depth mitigations. 

What's happening

Systems affected

Oracle has stated the vulnerability affects users of WebLogic Server versions:

  • 10.3.6.0.0
  • 12.1.3.0.0
  • 12.2.1.3.0

Oracle also notes that older versions are likely to be affected, but as they do not test these versions for vulnerabilities, they cannot confirm this.

What this means

According to Oracle, there is a deserialisation vulnerability via XMLDecoder in WebLogic Server Web Services. This vulnerability is remotely exploitable without authentication, meaning that it can be exploited over a network without login credentials.

Attackers are able to exploit these vulnerabilities to run their own code. Previously, similar vulnerabilities have been used to run mining software for cryptocurrency. It is possible that more malicious attacks will be carried out through this vector.

There is conflicting information about exactly which vulnerabilities are being currently exploited. Security researchers Knownsec claimed that the attacks exploited a WebLogic flaw to bypass patches for a previous zero-day WebLogic vulnerability, CVE-2019-2725.

Oracle has claimed that the vulnerability has emerged from a separate zero-day, CVE-2019-2729. A patch has been released for this vulnerability. 

What to look for

How to tell if you're at risk

You are affected by this vulnerability if you are using WebLogic Server versions:

  • 10.3.6.0.0
  • 12.1.3.0.0
  • 12.2.1.3.0

Oracle also notes that older versions are likely to be affected, but as they do not test these versions for vulnerabilities, they cannot confirm this.

What to do

Prevention

Make sure you are using a supported WebLogic server and immediately apply the patches released by Oracle.  

In addition to patching CERT NZ recommends you take further measures, including:

  • planning for out-of-cycle patches
  • engaging with Oracle about upcoming patches
  • monitoring effectiveness of patches and future bypasses
  • implementing defence-in-depth processes such as web app firewalls and any other controls relevant to your network.

Mitigation

Implement the patches released by Oracle immediately.

If you are running an unsupported version, Oracle recommends upgrading to a supported version as soon as possible.

Operating system controls such as SELinux or Apparmor could be used to mitigate the impact of an attack. When correctly implemented, these controls limit the resources that the affected process has access to.

Oracle’s advisory for CVE-2019-2729 vulnerability External Link

More information

Keep up to date with Oracle's security alerts  External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384