Although it’s a few days old, I’d like to point out an article by my colleague Markus Knies who had to deal with this vulnerability right on day zero:

Oracle released the quarterly critical patch updates on April 16th, 2019. Only one week later a zero-day vulnerability was identified by the KnownSec-404 security team. The vulnerability exists in Oracle Weblogic Server and has been labeled as CVE-2019-2725 and is also reported by the BSI (Bundesamt für Sicherheit in der Informationstechnik, Zero-Day-Schwachstelle in Oracle WebLogic Server, 25.04.2019).

Affected modules for this vulnerability are the wls9_async_response package with its components wls9_async and wls-wsat. With the help of these two modules it is possible to execute malicious content with elevated privileges.

Oracle reacted fast, broke the regular patch process, and launched an independent emergency patch on April 26th,2019:

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

Oracle reports that there is only an impact at the following versions: Oracle WebLogic Server, versions 10.3.6.0 and 12.1.3.0.

The BSI announces that all versions of Oracle WebLogic-Server are affected (also including the currently actual version 12.2.1.3).

The vulnerability CVSS score for this issue is 9.8. It is highly recommended to install this patch as soon as possible in affected systems.

Related Links:

Oracle – Oracle Security Alert Advisory: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

F5L2019 – F5 Labs: Twitter-Meldung: https://mobile.twitter.com/F5Labs/status/1120822404568244224/photo/1

Pag2019 – Pierluigi Paganini: „Zero-day vulnerability in Oracle WebLogic“: https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html

Heise – Oracle WebLogic Server via Zero-Day-Lücke aus der Ferne angreifbar (26.04.2019): https://www.heise.de/security/meldung/Oracle-WebLogic-Server-via-Zero-Day-Luecke-aus-der-Ferne-angreifbar-4408439.html

Heise – Oracle patcht kritische Lücke in WebLogic Server außer der Reihe (29.04.2019): https://www.heise.de/security/meldung/Oracle-patcht-kritische-Luecke-in-WebLogic-Server-ausser-der-Reihe-4409153.html?wt_mc=rss.security.beitrag.atom

via Zero Day vulnerability in Oracle WebLogic Servers – Oracle Patch available | The Cattle Crew Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.