[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert(update on 26th April)

Knownsec 404 team
Apr 21 · 2 min read

by KnownSec 404 Team

Synopsis

The remote Oracle WebLogic server is affected by a remote code execution vulnerability(0day).

Description

Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability.This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.

By the time this alert was issued, the official still did not release the corresponding fix, which is a “0day” vulnerability. An attacker could exploit this vulnerability to remotely execute commands without authorization. And currently we have reported the details to the Oracle WebLogic official.

Impact in cyberspace

ZoomEye is a famous cyberspace search engine and have 101,040 results about Oracle WebLogic server,there are 36,173 results on 2019.Most of them are distributed in the US and China.

Temporary Solution

Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service

Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Reference

[1] About Oracle WebLogic
[2] April 17 CNVD releases vulnerability announcement
[3] Seebug vulnerability record
[4] Zoomeye search engine Dork

Update

For this vulnerability, Oracle broke the regular patch process, and launched an independent emergency patch on 26th April,2019. The vulnerability CVSS score 9.8.

Knownsec 404 team

Written by

404 Team, the core team from a well-known security company Knowsec in China. Twitter:@seebug_team Youtube: @404team knownsec Email:zoomeye@knownsec.com