Another remote code execution vulnerability affecting Oracle WebLogic Server spotted in the wild

• The newly discovered RCE flaw has been tracked as CVE-2019-2729.
• The flaw affects WebLogic versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0.

Oracle has released emergency patches for another critical remote code execution vulnerability affecting its WebLogic Server. The newly discovered RCE flaw has been tracked as CVE-2019-2729.

It was only a month ago that a deserialization vulnerability tracked as CVE-2019-2725 was discovered in the WebLogic Server. The flaw was widely abused by attackers to deliver a variety of malware in different attack campaigns.

What is the vulnerability?

The RCE flaw, tracked as CVE-2019-2729, affects WebLogic versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. It has received a severity score of 9.8 on CVSS and can be exploited by a remote attacker without authentication.

“This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password,” reads the security advisory of Oracle.

According to KnownSec404 team, the new RCE flaw has arisen because of an incomplete patch for CVE-2019-2729. The researchers have confirmed that threat actors are already exploiting the CVE-2019-2729 in the wild.

What are the vulnerable targets?

KnownSec team notes that the current vulnerability is being abused currently to target JDK 1.6.x compatible systems.

Just like CVE-2019-2725, the CVE-2019-2729 can allow attackers to exploit the process and run code on vulnerable systems.

Fixing the issue

The company has released security updates to fix the issue on affected versions. KnownSec researchers have also recommended some temporary solutions to mitigate the matter:

• Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service
• Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.