Oracle patches WebLogic Server flaw hackers are actively exploiting in the wild

Tells users to install the updates as early as possible

Oracle has released a security update to fix a weakness in WebLogic servers that is being actively exploited in the wild to hijack users' systems.

According to Oracle, this critical remote code execution vulnerability - indexed as CVE-2019-2729 and having a CVSS score of 9.8 - affects versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0 of WebLogic Server. Cybercriminals can remotely exploit the weakness without requiring a username and password.

Considering the severity of the flaw, Oracle has advised users to install the updates as earliest as possible.

Oracle says that the issue arises from a deserialisation bug present in the XMLDecoder for WebLogic Server Web Services. A remote attacker can exploit the flaw to run malicious code on the vulnerable system through an HTTP request.

The flaw came to light on 15th June when it was reported by Chinese security research firm "KnownSec404 Team" as a zero-day.

US-CERT also said that it had noticed cybercriminals in the wild using working exploits for the flaw.

Preliminary reports from KnownSec404 Team claimed that cybercriminals were carrying out attacks by exploiting a zero-day vulnerability that was based on another zero-day discovered in April and indexed as CVE-2019-2725.

CVE-2019-2725 is also a deserialisation bug existing in WebLogic Server, which enables attackers to remotely execute malicious code on vulnerable servers. Oracle released a security patch for that vulnerability in April.

KnownSec404 Team claimed that attackers carried out new attacks by bypassing the patches for CVE-2019-2725 released in April.

But, in a blog post on Tuesday, Oracle's Security Programme Vice-President John Heimann said that newly discovered attacks were actually exploiting a separate vulnerability, unrelated to the zero-day from April.

"Please note that while the issue addressed by this alert is a deserialisation vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability," Heimann said in the post.

KnownSec404 Team also said that the current attacks exploiting CVE-2019-2729 were targeting only JDK 1.6.x compatible systems, thereby reducing the number of targeted servers.

Moreover, majority of attacks had targeted corporate networks in order to install crypto-mining malware for financial benefits.