CVE-2019-2568 vulnerability in Oracle WebLogic Server

36, 000 publicly accessible Oracle WebLogic Servers are at risk

Cyber Security vulnerability is increasing day by day. This time, the vulnerability has reported in Oracle WebLogic Server. KnownSec 404 has identified a vulnerability CVE-2019-2568 that allows the attacker to compromise the Oracle WebLogic Server with low privileges and network access via HTTP.

Here is the official description

“Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server.”

For your information, Oracle WebLogic Server is a oracle application server which is a platform for deploying and developing multitier distributor enterprise applications. Oracle acquired this server in 2008 when it purchased BEA Systems. There has been reported vulnerability CVE-2019-2568 that allows the access to the server via HTTP.

It should be noted that the vulnerability in the server can affect various additional products as well. Attackers can lead the unauthorized update and even insert or delete access to various accessible data on the Oracle WebLogic Server.

You all are well known of the zero-day in the wild this means multiple servers are at risk. Oracle is aware of this. It releases security updates in every three month. Since the last update that the company released was just four day before the bugs’ discovered, the CVE-2019-2568 vulnerability will be addressed in next three months.

How to avoid attack

Almost 36,000 publicly accessible WebLogic servers are at risk. To avoid attack before the patches, the KnownSec 404 recommended that either remove the vulnerable components and restart their WebLogic servers or deploy firewall rules to prevent requests to the two exploited URL ( /_async/* and /wls-wsat/*).

The vulnerability of this type was detected in January last year when attackers was targeting database servers.  It is totally a new tactics and was used in the new style- after the exploit code impacted the machine, two separate miner software got intruded on the targeted device.