Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild.
The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default - wls9_async_response and wls-wsat.war.
The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.
This isn't the first, or even second, deserialization attack that has been used to target these services. The wls-wsat component was successfully
exploited in a similar fashion in 2017, and KnownSec404 reported
another one in April. The 2017 vulnerability was largely used to install bitcoin miners; April's vulnerability was exploited in
cryptojacking and ransomware campaigns. Oracle's current out-of-band patch and advisory notice has not officially acknowledged the active exploitation of CVE-2019-2729, but it does mark the vulnerability as high risk and advises customers to apply the out-of-band patch as soon as possible.
