Date: 25th June 2019
A number of current versions of the Oracle WebLogic Server have been beset by a critical vulnerability. This has been registered as CVE-2019-2729 and has a CVSS score of 9.8 (out of 10). Oracle has released a patch.
The vulnerability is already being exploited in the wild, with affected systems being infected with ransomware such as ‘Sodinokibi’ & ‘GandCrab’ and ‘XMRig’ crypto-miner.
As with a number of recent vulnerabilities this one is exploitable remotely and bypasses authentication (username and password) which accounts for the high CVSS score. It is also closely related to the CVE-2019-2725 which allows an unauthenticated attacker with network access via HTTP to compromise the Oracle WebLogic Server and was patched in April. This attack is an evolution of other attacks targeted at WebLogic including CVE-2018-2893, CVE-2018-2628 and CVE-2017-10271.
Tactics, Techniques and Procedures
Oracle WebLogic is a JAVA EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a number of databases.
As the application is used by a number of organisations with widespread connectivity to large enterprise landscapes, it is a staging post for attackers to steal sensitive data. Due to its vast resources and reach though, it is mostly targeted by attackers who want to covertly mine cryptocurrency.
Vulnerable Software Versions
- Oracle WebLogic Server 10.3.6.0.0., 126.96.36.199.0. and 188.8.131.52.0.
Invinsec recommends the following activities:
- Apply critical (Out-of-Band) WebLogic Patch.
Temporary workarounds are also available:
- Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service.
- Preventing access to the /_async/* and /wis-wsat/* URL paths via access policy control.
Invinsec security operations teams will continue to monitor intelligence relating to this vulnerability, and will update guidance and monitor for specific Indicators of Compromise as these become available.