[KnownSec 404 Team] Oracle WebLogic Deserialization RCE Vulnerability (0day) Alert(update on 26th April)

by KnownSec 404 Team

Synopsis

The remote Oracle WebLogic server is affected by a remote code execution vulnerability(0day).

Description

Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability.This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled.

By the time this alert was issued, the official still did not release the corresponding fix, which is a “0day” vulnerability. An attacker could exploit this vulnerability to remotely execute commands without authorization. And currently we have reported the details to the Oracle WebLogic official.

Impact in cyberspace

ZoomEye is a famous cyberspace search engine and have 101,040 results about Oracle WebLogic server,there are 36,173 results on 2019.Most of them are distributed in the US and China.

Temporary Solution

Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service

Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Reference

[1] About Oracle WebLogic https://www.oracle.com/middleware/weblogic/index.html
[2] April 17 CNVD releases vulnerability announcement http://www.cnvd.org.cn/webinfo/show/4989
[3] Seebug vulnerability record https://www.seebug.org/vuldb/ssvid-97920
[4] Zoomeye search engine Dork https://www.zoomeye.org/searchResult?q=weblogic

Update

For this vulnerability, Oracle broke the regular patch process, and launched an independent emergency patch on 26th April,2019. The vulnerability CVSS score 9.8.

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html