Oracle Security Update: CVE-2019-2725

Oracle Security Blog

On Friday 26th April 2019, Oracle released a new “out of band” security alert for WebLogic Server, affecting versions 10.3.6 and 12.1.3: CVE-2019-2725.

“Out of band” updates and alerts are usually critical as they occur outside of Oracle’s usual update/patching schedule. This is because Oracle thinks that the corresponding issue is important and damaging enough that you need to do something about it now, and not wait until their scheduled date or your patching window.

What do you need to do if you’re affected?

If you are still with Oracle for support and are running the affected versions then you should prioritise applying Oracle’s patch to protect against this vulnerability. You can also apply KnownSec 404’s (the group who discovered the vulnerability) temporary solutions in the meantime, if applying Oracle’s patch will take too long.

How Support Revolution customers are protected

If our customers are signed up to our security service, then they are already protected by Trend Deep Security, a security solution that acts as a fence that sits around your systems to defend against these types of weaknesses.

Trend Deep Security has already released a rule update (1009707, released on April 26, 2019) which enables detection and protection against attackers attempting to use this exploit, and this has already been deployed onto the systems we manage.

This means that all of our customers are already protected against this exploit and don’t need to spend time patching their systems manually.

What is the danger?

This is a deserialization vulnerability which allows an unauthenticated attacker to submit a specially crafted XML to a WebLogic server causing it to connect to a remote site and download additional exploit instructions.

The source for this exploit was work done by the KnownSec 404 team in China as part of an investigation into an older exploit CVE-2017-10271 where they were able to identify a weakness in the wls9_async_response package.

Other companies have already created proof of concept exploits, and discussion on it (such as Tenable) indicates that it is an easily exploitable vulnerability that should be protected against urgently.

Learn more about how we protect our customers

As we’ve mentioned, our customers are already protected against this vulnerability because of our modern patching and security methods. You can learn more about how we protect our customers by reading our white paper on the subject: