[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert Again (CVE-2019–2725 patch bypassed!!!)

Author: KnownSec 404 Team
Date: 06/15/2019

In April 2019 KnownSec 404 Team released a 0day vulnerability warning : https://medium.com/@knownsec404team/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93 and then Oracle released the vulnerability CVE (CVE-2019–2725) and patch on April 26th : https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

Then today, a new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725 .

Image for post
Image for post

At present, we have actively contacted Oracle weblogic official, we recommend users to use temporary solutions before the official launch of the patch.

Temporary Solution

Scenario-1:

Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service

Scenario-2:

Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Reference

[1] About Oracle WebLogic https://www.oracle.com/middleware/weblogic/index.html

[2] [KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert(update on 26th April) https://medium.com/@knownsec404team/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

[3] Oracle Security Alert Advisory — CVE-2019–2725 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

[4] Zoomeye search engine Dork https://www.zoomeye.org/searchResult?q=weblogic

Update

For this vulnerability, Oracle has launched its patch on 18th June, 2019. The vulnerability CVSS score 9.8.

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html?from=groupmessage&isappinstalled=0

Image for post
Image for post

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store