[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert Again (CVE-2019–2725 patch bypassed!!!)
Author: KnownSec 404 Team
Date: 06/15/2019
In April 2019 KnownSec 404 Team released a 0day vulnerability warning : https://medium.com/@knownsec404team/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93 and then Oracle released the vulnerability CVE (CVE-2019–2725) and patch on April 26th : https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
Then today, a new oracle webLogic deserialization RCE 0day vulnerability was found and is being actively used in the wild.We analyzed and reproduced the 0day vulnerability, which is based on and bypasses the patch for CVE-2019–2725 .
At present, we have actively contacted Oracle weblogic official, we recommend users to use temporary solutions before the official launch of the patch.
Temporary Solution
Scenario-1:
Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service
Scenario-2:
Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.
Reference
[1] About Oracle WebLogic https://www.oracle.com/middleware/weblogic/index.html
[2] [KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert(update on 26th April) https://medium.com/@knownsec404team/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93
[3] Oracle Security Alert Advisory — CVE-2019–2725 https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html
[4] Zoomeye search engine Dork https://www.zoomeye.org/searchResult?q=weblogic
Update
For this vulnerability, Oracle has launched its patch on 18th June, 2019. The vulnerability CVSS score 9.8.