Oracle has released another out of band patch for a zero day vulnerability, CVE-2019-2725, on June 19, 2019. This zero-day is a lot like the last WebLogic vulnerability that was released in April 2019. Both of these vulnerabilities involve a bug in the data deserialization process that happens inside WebLogic servers when content is reverted from binary form back into its original form. Both vulnerabilities allow attackers to exploit this process and run code on affected systems. The attacker does not need to know a remote server’s credentials to run an exploit against it.
Much like previous WebLogic vulnerabilities, this flaw can theoretically be used to install ransomware, cryptojacking, or Bitcoin miners. Since it is remote code execution, the possibilities for use are very broad.
Some WebLogic users are mitigating against this and future vulnerabilities by disabling Asynchronous Request-Response and Web Service Atomic Transactions applications entirely. This could have other implications, but controlling access to these applications via firewall or network policy at the very least would be wise. Oracle is fixing these vulnerabilities by blacklisting specific classes, which leaves WebLogic open to similar flaws being discovered in the future.
Protecting these applications by means other than patching would be a good practice, as it would decrease the need for emergency patching should other flaws surface. Being diligent about applying Oracle’s quarterly updates to WebLogic should be considered a best practice. Oracle releases updates on the Tuesday closest to the 17th of January, April, July, and October.
To detect this vulnerability, scan your servers, especially public-facing servers, using Tenable Plugin IDs 124338 and 124337, or Qualys QID 87386.
If you are a Vulnerability Management customer with deepwatch, your vulnerability management SME will communicate with you in regards to which assets are considered vulnerable to you in your environment.
All organizations should put the patch into place as soon as possible due to this vulnerability being used in the wild at this time.
Jen O’Neil, Vulnerability Management SME
Dave Farquhar, Vulnerability Management SME