Sunday, June 30, 2019


ORACLE



WebLogic Server Zero-Day Vulnerability Patch Issued, Oracle Cautions Exploit Still Active

Oracle recognizes actively exploited security vulnerability in its popular and widely deployed WebLogic servers. Although the company has issued a patch, users must update their systems at the earliest because the WebLogic zero-day bug is presently under active exploitation. The security flaw has been tagged with "critical severity" level. The Common Vulnerability Scoring System score or CVSS base score is an alarming 9.8.
Oracle recently addressed a critical vulnerability affecting its WebLogic servers. The critical WebLogic zero-day vulnerability threatens users' online security. The bug can potentially allow a remote attacker to gain complete administrative control of the victim or target device. If that's not enough, once inside, the remote attacker can easily execute arbitrary code. The deployment or activation of the code can be done remotely. Although Oracle has quickly issued a patch for the system, it is up to the server administrators to deploy or install the update as this WebLogic zero-day bug is considered to be under active exploitation.
The Security Alert advisor from Oracle, officially tagged the CVE-2019-2729 mentions the threat is, "deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. "
The CVE-2019-2729 security vulnerability has earned a critical severity level. The CVSS base score of 9.8 is usually reserved for the most severe and critical security threats. In other words, WebLogic server administrators must prioritize the deployment of the patch issued by Oracle.
A recently conducted study by Chinese KnownSec 404 Team claims the security vulnerability is actively pursued or used. The team strongly feels the new exploit is essentially bypassing the patch of a previously known officially tagged bug CVE-2019-2725. In other words, the Oracle team may have inadvertently left loophole within the last patch that was meant to address previously discovered security flaw. However, Oracle has officially clarified that the just addressed security vulnerability is completely unrelated to the previous one. In a blog post meant to offer clarification about the same, John Heimann, VP Security Program Management, noted, "Please note that while the issue addressed by this alert is deserialization vulnerability, such as addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability. "
The vulnerability can be easily exploited by an attacker with network access. The attacker simply requires access via HTTP, one of the most common networking pathways. The attackers do not need authentication credentials to exploit the vulnerability over a network. The exploitation of the vulnerability may result in the takeover of the targeted Oracle WebLogic servers.
Which Oracle WebLogic Servers Remain Vulnerable To CVE-2019-2729?
Irrespective of the correlation or connection to the previous security bug, several security researchers actively reported the new WebLogic zero-day vulnerability to Oracle. According to researchers, the bug reportedly affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0.
Interestingly, even before Oracle issued the security patch, there were a few workarounds for system administrators. Those who wished to quickly protect their systems were offered two separate solutions which could still work:
Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service. Scenario-2: Controls URL access for the / _async / * and / wls-wsat / * paths by access policy control.
Security researchers were able to discover about 42,000 Internet-accessible WebLogic servers. Needless to mention, the majority of attackers looking to exploit the vulnerability are targeting corporate networks. The primary intention behind the attack appears to be dropping crypto-mining malware. Servers have some of the most powerful computing power and such malware discreetly uses the same to mine cryptocurrency. Some reports indicate attackers are deploying Monero-mining malware. Attackers were even known to have used certificate files to hide the malware variant's malicious code. This is a common technique to evade detection by anti-malware software. Alap Desai
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

  DIGITAL LIFE One Tech Tip: Replacing passwords with passkeys for an easier login experience If you're tired of memorizing passwords, t...

  • (no title)
    TECH In Memoriam: The Tech That Died in 2018 A bongo enthusiast once said, "time is a flat circle," which is a pretentious...
  • (no title)
      HONOR Model 60 Pro: Sparkling design and camera configuration confirmed by teaser image Honor is not due to unveil the Honor 60 series for...
  • (no title)
      OPPO New and unprecedented model Find X6 will debut with a huge photo sensor Oppo has a strong smartphone lineup lately, offering great fo...