Oracle released the quarterly critical patch updates on April 16th, 2019. Only one week later a zero-day vulnerability was identified by the KnownSec-404 security team. The vulnerability exists in Oracle Weblogic Server and has been labeled as CVE-2019-2725 and is also reported by the BSI (Bundesamt für Sicherheit in der Informationstechnik, Zero-Day-Schwachstelle in Oracle WebLogic Server, 25.04.2019).
Affected modules for this vulnerability are the wls9_async_response package with its components wls9_async and wls-wsat. With the help of these two modules it is possible to execute malicious content with elevated privileges.
Oracle reacted fast, broke the regular patch process, and launched an independent emergency patch on April 26th,2019:
Oracle reports that there is only an impact at the following versions: Oracle WebLogic Server, versions 10.3.6.0 and 220.127.116.11.
The BSI announces that all versions of Oracle WebLogic-Server are affected (also including the currently actual version 18.104.22.168).
The vulnerability CVSS score for this issue is 9.8. It is highly recommended to install this patch as soon as possible in affected systems.
Oracle – Oracle Security Alert Advisory: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
F5L2019 – F5 Labs: Twitter-Meldung: https://mobile.twitter.com/F5Labs/status/1120822404568244224/photo/1
Pag2019 – Pierluigi Paganini: „Zero-day vulnerability in Oracle WebLogic“: https://securityaffairs.co/wordpress/84450/breaking-news/oracle-weblogic-zeroday.html
Heise – Oracle WebLogic Server via Zero-Day-Lücke aus der Ferne angreifbar (26.04.2019): https://www.heise.de/security/meldung/Oracle-WebLogic-Server-via-Zero-Day-Luecke-aus-der-Ferne-angreifbar-4408439.html
Heise – Oracle patcht kritische Lücke in WebLogic Server außer der Reihe (29.04.2019): https://www.heise.de/security/meldung/Oracle-patcht-kritische-Luecke-in-WebLogic-Server-ausser-der-Reihe-4409153.html?wt_mc=rss.security.beitrag.atom