==================================================================== CERT-Renater Note d'Information No. 2019/VULN192 _____________________________________________________________________ DATE : 19/06/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0. ===================================================================== https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html _____________________________________________________________________ Oracle Security Alert Advisory - CVE-2019-2729 Description This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Affected Products and Patch Information Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions. Affected Products and Versions Patch Availability Document Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware Security Alert Supported Products and Versions Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. Oracle recommends that customers plan product upgrades to ensure that patches released through the Security Alert program are available for the versions they are currently running. Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions. Database, Fusion Middleware, Oracle Enterprise Manager products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support. References Oracle Critical Patch Updates, Security Alerts and Bulletins Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions Risk Matrix Definitions Use of Common Vulnerability Scoring System (CVSS) by Oracle English text version of the risk matrices CVRF XML version of the risk matrices Map of CVE to Advisory Software Error Correction Support Policy Risk Matrix Content Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories and Alerts. An English text version of the risk matrices provided in this document is here. Security vulnerabilities are scored using CVSS version 3.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS version 3.0). Oracle conducts an analysis of each security vulnerability addressed by a Security Alert. Oracle does not disclose detailed information about this security analysis to customers, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential impact of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. For more information, see Oracle vulnerability disclosure policies. The protocol in the risk matrix implies that all of its secure variants (if applicable) are affected as well. For example, if HTTP is listed as an affected protocol, it implies that HTTPS (if applicable) is also affected. The secure variant of a protocol is listed in the risk matrix only if it is the only variant affected, e.g. HTTPS will typically be listed for vulnerabilities in SSL and TLS. Credit Statement The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle: Badcode of Knownsec 404 Team: CVE-2019-2729 Fangrun Li of Creditease Security Team: CVE-2019-2729 Foren Lim: CVE-2019-2729 Lucifaer: CVE-2019-2729 orich1 of CUIT D0g3 Secure Team: CVE-2019-2729 Sukaralin: CVE-2019-2729 WenHui Wang of State Grid: CVE-2019-2729 Ye Zhipeng of Qianxin Yunying Labs: CVE-2019-2729 Yuxuan Chen: CVE-2019-2729 Zhao Chang of Venustech ADLab: CVE-2019-2729 Zhiyi Zhang from Codesafe Team of Legendsec at Qi'anxin Group: CVE-2019-2729 Modification History Date Note 2019-June-18 Rev 1. Initial Release. Oracle Fusion Middleware Risk Matrix This Security Alert contains 1 new security fix for Oracle Fusion Middleware. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here. Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used. Oracle Database security fixes are not listed in the Oracle Fusion Middleware risk matrix. However, since vulnerabilities affecting Oracle Database versions may affect Oracle Fusion Middleware products, Oracle recommends that customers apply the June 2019 Critical Patch Update to the Oracle Database components of Oracle Fusion Middleware products. For information on what patches need to be applied to your environments, refer to Critical Patch Update April 2019 Patch Availability Document for Oracle Products, My Oracle Support Note 2535708.1. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================