Another day, another vulnerability. The cybersecurity mantra is giving us another serious issue in Oracle WebLogic Server.
The vulnerability, identified as CVE-2019-2568, is easily exploitable and can allow an attacker with low privileges and network access via HTTP to compromise Oracle WebLogic Server. The vulnerability was discovered by KnownSec 404.
CVE-2019-2568 Official Description
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 220.127.116.11.0 and 18.104.22.168.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server.
It should be noted that while the flaw is located in Oracle WebLogic Server, attacks can significantly impact additional products as well. Attacks based on CVE-2019-2568 can result in unauthorized update, and attackers can also insert or delete access to some of Oracle WebLogic Server accessible data.
The zero-day flaw appears to be targeted in the wild meaning that multiple vulnerable servers are at risk. Oracle is aware of the exploit. However, as the company just released its quarterly security update four days before the bug’s discovery, its patching may take some time. Oracle releases security updates every three months meaning that CVE-2019-2568 is going to be addressed in three months.
Who’s affected? More than 36,000 publicly accessible WebLogic servers are currently vulnerable. Before the official patch arrives, affected parties will have to utilize workarounds to avoid attacks.
To avoid attacks, KnownSec 404’s recommendation is to either remove the vulnerable components and restart their WebLogic servers, or deploy firewall rules to prevent requests to two URL paths that are exploited in the wild ( /_async/* and /wls-wsat/*).
Oracle WebLogic servers have been targeted continuously in recent months, especially by hackers that carry out cryptomining campaigns. CVE-2017-10271 has become one of attackers’ most preferred vulnerabilities. Attacks based on this specific bug were detected in January last year, when cybercriminals were targeting database servers in the so-called double Monero miner attacks.
This was considered a novel tactic as it was used in a non-traditional way. After the machines were impacted by the exploit code, two separate miner software were instituted on the compromised devices.