ASA-2019-00370 – Oracle WebLogic Server: Deserialization vulnerability via XMLDecoder

Allele Security Alert

ASA-2019-00370

Identifier(s)

ASA-2019-00370, CVE-2019-2729

Title

Deserialization vulnerability via XMLDecoder

Vendor(s)

Oracle

Product(s)

Oracle WebLogic Server

Affected version(s)

Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0

Fixed version(s)

Oracle WebLogic Server with Security Alert CVE-2019-2725 applied

Proof of concept

Unknown

Description

A deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Technical details

Unknown

Credits

Badcode (Knownsec 404 Team), Fangrun Li (Creditease Security Team), Foren Lim, Lucifaer, orich1 (CUIT D0g3 Secure Team), Sukaralin, WenHui Wang (State Grid), Ye Zhipeng (Qianxin Yunying Labs), Yuxuan Chen, Zhao Chang (Venustech ADLab)
and Zhiyi Zhang (Codesafe Team of Legendsec at Qi’anxin Group)

Reference(s)

Oracle Security Alert Advisory – CVE-2019-2729
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html

Security Alert CVE-2019-2729 Released
https://blogs.oracle.com/security/security-alert-cve-2019-2729-released

[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert Again (CVE-2019–2725 patch bypassed!!!)
https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15?postPublishedType=repub

CVE-2019-2729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2729

CVE-2019-2729
https://nvd.nist.gov/vuln/detail/CVE-2019-2729

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 17, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.