Last Updated: 2019-06-19 14:57:35 UTC
by Johannes Ullrich (Version: 1)
Oracle today released an out-of-band security update for WebLogic, patching yet another XMLDecoder deserialization vulnerability for WebLogic. The flaw is already actively exploited according to Oracle. Exploitation does not require authentication. Exploitation will allow arbitrary code injection and the CVSS score of the vulnerability is 9.8. The vulnerability is similar to CVE-2019-2725 in that it bypasses protections put in place by Oracle when it patched this vulnerability in April. Oracle has been using a "blocklist" approach in patching these deserialization vulnerabilities, blocking the deserialization of very specific classes, which has led to similar bypass/patch cat and mouse games in the past.
Security Company KnownSec has a few more details about the vulnerability  including some mitigation techniques.
CVE-2019-2729 was assigned to the vulnerability and it affects versions 10.3.6.0.0, 18.104.22.168.0, 22.214.171.124.0. A patch for WLS 126.96.36.199.x will be released tomorrow.