Oracle releases second WebLogic Server patch in two months

News by Robert Abel

The previous flaw, announced in April, was being used in cryptojacking and ransomware campaigns

Oracle released an out-of-band patch for a WebLogic Server Deserialisation vulnerability which could allow an unauthenticated attacker to remotely exploit and gain remote code execution (RCE) ability on vulnerable systems.

The vulnerability, CVE-2019-2729, affected Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0, and can be exploited over a network without the need for a username and password.

This is the second vulnerability of this type spotted in two months, with the previous flaw announced in April after it was being used in cryptojacking and ransomware campaigns. 

Oracle said in a blog post that,while both exploits are deserialisation flaws, CVE-2019-2729 is "a distinct vulnerability."

In 2017 a similar vulnerability was exploited to install Bitcoin miners. Oracle recommends those who are impacted apply the updates as soon as possible due to the severity of the vulnerability.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop