WebLogic Remote Code Execution Vulnerability (CVE-2019-2725)

Updated on:

Overview

Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts.

This vulnerability was identified in China by China National Vulnerability Database (CNVD) published a Security Team, they have issued a bulletin about an unauthenticated remote command execution (RCE) vulnerability in Oracle WebLogic (CNVD-C-2019-48814). Oracle WebLogic Server is middleware for deploying and administering web applications. An attacker could send a request to a WebLogic Server, which would then reach out to a malicious host to complete the request, opening up the WebLogic server to an Remote Code Execution attack.

Analysis

An attacker could send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing the server to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions.

 

Affected Weblogic versions

Oracle weblogic server 10.3.6.0,  Oracle webLogic Server 12.1.3.0 (includes Fusion Middleware).

 

Solution

Oracle has released an official fix for this vulnerability and it’s available here.

The following workaround steps are available for customers that are unable to apply the update from Oracle, and both of these steps must be performed:

  1. Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service.
  2. Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server.

In addition, it is recommended to upgrade WebLogic server according to your organization's vulnerability assessment as per whitelist  . At this time, known exploits for this vulnerability require the server to reach out to a malicious host. If that malicious host is not trusted, and does not appear on your organizational whitelist, this can reduce the risk of attack for currently available known exploit methods.

 

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

More from Middleware Inventory

  • Oracle Weblogic Basic Authentication

    Overview   Oracle WebLogic Server authentication is enabled by default. However, this configuration prevents Oracle WebLogic Server from using application managed authentication. You must disable Oracle WebLogic Server authentication by setting the enforce-valid-basic-auth-credentials parameter to false. Procedure  To disable Oracle WebLogic Server authentication: In a text editor, open the xmlfile from the domain folder. The config.xml file is in the Oracle/Middleware/user_projects/domains/domain_name/config directory. Locate the <security-configuration> Add the…

  • Oracle WebLogic Java Deserialization Vulnerability (CVE-2018-2628)

     Overview Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server via unsafe deserialization of Java objects. Successful…

  • Weblogic 12c Oracle Datasource TNS Exception

    Problem While creating a Oracle Data source in weblogic 12c, If you are encountering the below error message upon TestConnection. Though all the SID(Database name) and Host and Port are Correct Listener refused the connection with the following error: ORA-12505, TNS:listener does not currently know of SID given in connect descriptor…

  • What is ORACLE_HOME,MW_HOME,WL_HOME in Weblogic 12c

    The Objective In this post, we are going to see what are the different types of home directories available in weblogic and the various options or methods to find the ORACLE_HOME, MW_HOME and WL_HOME of your weblogic 12c installation. The commands and the methods are mostly given for the LINUX…

  • Docker Weblogic : Run Oracle Weblogic 12c on Docker

    The Introduction to Docker Weblogic In this post, we are going to be exploring the quick and easy option available to get started with weblogic and Docker.  In this post, we are going to see how to create a weblogic container in docker in a few easy steps. The post's…