Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Using Oracle WebLogic? Put down your coffee, drop out of Discord, grab this patch right now: Vuln under attack

Emergency security fix emitted for remote code exec hole exploited in the wild

Oracle has issued an emergency critical update to address a remote code execution vulnerability in its WebLogic Server component for Fusion Middleware – a flaw miscreants are exploiting in the wild to hijack systems.

The programming blunder, designated CVE-2019-2729, is present in WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0. The vulnerability itself is caused by a deserialization bug in the XMLDecoder for WebLogic Server Web Services.

When exploited, a remote attacker can execute malicious code on the targeted machine via an HTTP request without any credentials or authorization, a nightmare scenario for a server platform, and especially one facing the public internet.

Making the fix for this flaw even more urgent is the report from US-CERT that working exploits for the vulnerability have already been spotted being wielded by scumbags in the wild.

Oracle recommends that admins test and install the update as soon as possible.

In posting the patch, Oracle credited a crop of 11 security researchers for spotting and reporting the vulnerability and exploits: Zhiyi Zhang from Codesafe Team of Legendsec at Qi'anxin Group, Zhao Chang of Venustech ADLab, Yuxuan Chen, Ye Zhipeng of Qianxin Yunying Labs, WenHui Wang of State Grid, Sukaralin, orich1 of CUIT D0g3 Secure Team, Lucifaer, Foren Lim, Fangrun Li of Creditease Security Team, and Badcode of Knownsec 404 Team.

Speaking of Knownsec 404, it has mitigations and some more details here.

This patch comes just one day after Oracle patched a similar deserialization flaw in WebLogic Server, designated CVE-2019-2725. Like today's release, that bug allows for remote code execution on the vulnerable servers and was likewise considered to be a critical, ASAP patch install. Oracle did not say if that vulnerability is also under active exploit.

Developers who have yet to install one or both of the fixes would be well-advised to read and follow Oracle's advisories. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like