[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert Again (CVE-2019–2725 patch bypassed!!!)

Knownsec 404 team
Jun 15 · 2 min read

Author: KnownSec 404 Team
Date: 06/15/2019

In April 2019 KnownSec 404 Team released a 0day vulnerability warning : https://medium.com/@knownsec404team/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93 and then Oracle released the vulnerability CVE (CVE-2019–2725) and patch on April 26th : https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

Then today, a new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725 .

At present, we have actively contacted Oracle weblogic official, we recommend users to use temporary solutions before the official launch of the patch.

Temporary Solution

Scenario-1:

Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service

Scenario-2:

Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Reference

[1] About Oracle WebLogic https://www.oracle.com/middleware/weblogic/index.html

[2] [KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert(update on 26th April) https://medium.com/@knownsec404team/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

[3] Oracle Security Alert Advisory — CVE-2019–2725 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

[4] Zoomeye search engine Dork https://www.zoomeye.org/searchResult?q=weblogic

Update

For this vulnerability, Oracle has launched its patch on 18th June, 2019. The vulnerability CVSS score 9.8.

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html?from=groupmessage&isappinstalled=0

Knownsec 404 team

Written by

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com