Oracle WebLogic Server Web Services Fixes a Critical Bug

This blog gives details about the updated fixes in the WebLogic Server services of Oracle. Interested aspirants who would like to get along with the career in Oracle can get this Oracle service bus training available online. Let us now begin with patches and end with the recent vulnerability fixes in the oracle.

Patches for Oracle WebLogic Server, Oracle Platform Security Services, Oracle Java Development Kit, Oracle JDeveloper, and Oracle Web Services Manager are included with every Oracle WebLogic Server for Oracle Cloud Infrastructure release.

Patches for Oracle WebLogic Server for Oracle Cloud Infrastructure are not instantly applied to existing Oracle WebLogic Server for Oracle Cloud Infrastructure domains when a new update is released. If you want to upgrade your current domain to the new version or a particular supported release, you’ll have to manually apply the patches.

The collection of similar patches with a unique version number is called Patch Set Update (PSU). If you are using Oracle WebLogic Server to construct an Oracle Cloud Infrastructure domain, you must select a version of WebLogic Server that follows the format:

<major_version>.<patch_level>.<build>. 

For example, 12.2.1.4.191121.01.

Oracle has issued a patch for WebLogic Server versions that are impacted by a remote code execution setback. Researchers believe the bug is being deliberately used in attacks because it overrides a previously fixed defect.

XMLDecoder for Oracle WebLogic Server Web Services is now tracking and deserializing CVE-2019-2729. CVE-2019-2725, which was patched in April and was used in previous attacks to spread Sodinokibi crypto-currency and ransomware, is the same vulnerability. The exploit bag for the recently discovered Echo Bot botnet is also included.

Turns up to a previous issue

CVE-2019-2729, which has a severity of 9.8/10, “a network may use it without having a username and password,” according to Oracle’s advisory.10.3.6.0.0, 12.1.3.0.0, and 12.2.1.3.0.0 WebLogic Server versions are affected.

The KnownSec 404 team member cautioned that the former Oracle WebLogic deserialization issue had been solved. According to the researchers, the vulnerability was “used effectively in the wild.” They came to the conclusion that the bypass was for CVE-2019-2725, which had a critical gravity of the same ranking as CVE-2019-2725 at 9.8.

Then, now, a new remote code execution zero-day vulnerability in Oracle WebLogic deserialization was discovered and is being actively exploited in the wild. We evaluated and produced a zero-day vulnerability that is based on the CVE-2019–2725 patch and bypasses it.

Oracle recognized Badcode, a representative of the 404 Knownsec groups, and nine other security researchers with reporting the new deserialization vulnerability.

Patching solution in the interim

The components “wls9 async” and “wls-wsat” in Oracle WebLogic cause the deserialization problem.

Researchers recommend two mitigation options if patching is not feasible right away:

  1. Restart the WebLogic service after deleting “wls9 async response.war” and “wls-wsat.war.”
  2. Enforcing URL access policy controls to the paths “/_async/*” and “/wls-wsat/*

Zero days were deliberately leveraging the deserialization bugs until Oracle found them and released an urgent patch. They have the same effect on remote code execution because they function in the same way. The first affects all versions of WebLogic Server, while the second only affects Oracle’s product releases.

According to the ZoomEye search engine findings, almost 42,000 instances of Oracle’s WebLogic Server were deployed in 2019. A related search on Shodan reveals that there are just over 2300 servers online. Both engines accept that their main markets are the United States and China.

Oracle announced the year’s first release of the quarter, the Critical Patch Update (CPU) for January 2021, on January 19. Fixes for 202 CVEs are included in 329 security patches distributed through 25 Oracle product families in this quarterly update. The medium severity rating was issued to around 42 percent of the 329 security patches published this quarter. This year, just 14% of security patches fixed were for serious vulnerabilities.

*As of January 19, 2021, the chart is accurate.

Analysis

This quarter’s release contains fixes for 47 CVEs. With 60 patches, Oracle Fusion Middleware is the most revised, accounting for just over 18% of all patches released this quarter. A complete patch’s breakdown is shown in the table below:

  • Oracle Fusion Middleware contains 60 patches with 47 remote exploits without Auth.
  • Oracle Financial Services Applications containing 50 patches with 41 remote exploits without Auth.
  • Oracle MySQL contains 43 patches with 5 remote exploits without Auth.
  • Oracle Retail Applications containing 32 patches with 20 remote exploits without Auth.
  • Oracle E-Business Suite containing 31 patches with 29 remote exploits without Auth.
  • Oracle Virtualization containing 17 patches with 0 remote exploits without Auth.
  • Oracle Communications contains 12 patches with 7 remote exploits without Auth.
  • Oracle Supply Chain containing 11 patches with 11 remote exploits without Auth.
  • Oracle Database Server containing 8 patches with 1 remote exploit without Auth.
  • Oracle Communications Applications containing 8 patches with 6 remote exploits without Auth.
  • Oracle Enterprise Manager containing 8 patches with 8 remote exploits without Auth.
  • Oracle PeopleSoft contains 8 patches with 6 remote exploits without Auth.
  • Oracle Construction and Engineering containing 7 patches with 5 remote exploits without Auth.
  • Oracle Hyperion contains 7 patches with 5 remote exploits without Auth.
  • Oracle Health Sciences Applications containing 5 patches with 3 remote exploits without Auth.
  • Oracle JD Edwards contains 5 patches with 5 remote exploits without Auth.
  • Oracle Siebel CRM  containing 4 patches with 1 remote exploit without Auth.
  • Oracle Systems contains 4 patches with 3 remote exploits without Auth.
  • Oracle Insurance Applications containing 3 patches with 1 remote exploit without Auth.
  • Oracle Food and Beverage Applications containing 2 patches with  1 remote exploit without Auth.
  • Oracle GraalVM contains 2 patches with 2 remote exploits without Auth.
  • Oracle Global Lifecycle Management containing 1 patch with 0 remote exploits without Auth.
  • Oracle Secure Backup containing 1 patch with 0 remote exploits without Auth.
  • Oracle Java SE  contains 1 patch with 1 remote exploit without Auth.
  • Oracle Utilities Applications containing 1 patch with 1 remote exploit without Auth.

There were no exploitable vulnerabilities in the two product families.

Oracle has delegated no exploitable CVEs to two product families, Oracle Global Lifecycle Management and Oracle Secure Backup, for the first time in recent memory. This means that Oracle did not find any bugs in these two items that could be exploited by an intruder. This quarter’s updates, however, provide third-party patches for five CVEs, according to Oracle:

  • CVE-2019-12402 for Oracle Global Lifecycle Management with Third-Party Software as Apache Commons Compress.
  • CVE-2020-7064 for Oracle Secure Backup with  Third-Party Software as PHP.
  • CVE-2020-1198 for Oracle Secure Backup with Third-Party Software as Apache HTTP Server.
  • CVE-2020-11993 for Oracle Secure Backup with Third-Party Software as Apache HTTP Server.
  • CVE-2020-9490 for Oracle Secure Backup with Third-Party Software as Apache HTTP Server.

Oracle WebLogic Server has five new critical vulnerabilities.

Oracle WebLogic Server, a common application server solution within Oracle’s Fusion Middleware Product Family, was patched for five new vulnerabilities as part of this quarter’s patch update. We track newly reported WebLogic Server vulnerabilities per quarter because of their attractiveness to attackers. This is reinforced by the results of our 2020 Threat Landscape Retrospective Report, which highlights four notable Oracle WebLogic Server vulnerabilities that have been exploited in the wild.

This quarter, WebLogic Server was patched for five vulnerabilities:

  • CVE-2021-1994  for component Web Services (HTTP) with CSSv3 9.8.
  • CVE-2021-2047, CVE-2021-2064, and CVE-2021-2108 for Core Components (IIOP, T3) with CSSv3 9.8.
  • CVE-2021-2075 for component Samples (IIOP, T3) with CSSv3 9.8.

All five bugs are “easily exploitable,” according to Oracle, and successful exploitation would result in a complete infiltration of the WebLogic Server.

Patches for CVE-2020-14750 are included in the latest Fusion Middleware release.

According to a report in Oracle’s quarterly release, the Fusion Middleware product family provides fixes for CVE-2020-14750, a patch bypass for CVE-2020-14882, which was first patched in Oracle’s October 2020 CPU release. After the patch bypass and in-the-wild exploitation were found, Oracle launched a fix as part of an out-of-band (OOB) patch. The January 2021 CPU includes this update as part of the Fusion Middleware release to ensure that companies that did not send the OOB patch to access these critical updates.

Conclusion:

This blog had addressed the details of critical patch updates across various product releases including the new critical flaws in the Oracle WebLogic Server. We hope this blog has provided you the required information about the fixes.

Guest article written by: I am VarshaDutta Dusa, Working as a Senior Digital Marketing professional & Content writer in HKR Trainings. Having good experience in handling technical content writing and aspires to learn new things to grow professionally. I am expertise in delivering content on the market demanding technologies like ServiceNow Training, Oracle Service Bus Course, SQL Server DBA Course, Elasticsearch Course, Jmeter Course, Kibana, ServiceNow HR Service Management, etc.

Leave a Comment