Oracle patches Critical WebLogic vulnerability exploited in the wild (CVE-2019-2729)

Critical WebLogic vulnerability

Oracle has released a patch for a critical vulnerability CVE-2019-2729 in Oracle WebLogic Server, exploited in the wild. The company also warns bad actors can remotely exploit the flaw without a username and password.

In the latest security update, Oracle addresses a deserialization vulnerability CVE-2019-2729 via XMLDecoder in Oracle WebLogic Server Web Services. As a result, actors could exploit the flaw over the network without user credentials and then execute remote code.

Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0 are affected. Oracle provided a patch for Oracle Fusion Middleware that fixes the WebLogic vulnerability.

Consequently, the critical vulnerability also has a CVSS score of 9.8 (10 being the highest).

“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” Oracle said.

The critical update is similar in nature to another critical WebLogic Server deserialization vulnerability CVE-2019-2725 patched in April. In that instance, experts also warned of attackers exploiting the flaw in the wild.

On Saturday, researchers with KnownSec 404 Team confirmed the latest vulnerability CVE-2019-2729 bypasses the Oracle WebLogic Server flaw patched in April. The company also spotted active exploits in the wild.

“A new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild. We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725,” the researchers noted in a blog post over the weekend.

Given the severity, organizations should apply patches as soon as possible.