Attackers looking to compromise Oracle WebLogic servers for their own needs have a new zero-day RCE flaw at their disposal.
“Oracle WebLogic wls9_async and wls-wsat components trigger deserialization remote command execution vulnerability. This vulnerability affects all Weblogic versions (including the latest version) that have the wls9_async_response.war and wls-wsat.war components enabled,” KnownSec 404 researchers warn.
The flaw has been reported to Oracle, but is yet to receive a CVE number. It can be currently tracked under the following identifier: CNVD-C-2019-48814.
About Oracle WebLogic
Oracle WebLogic is a Java EE application server that is part of Oracle’s Fusion Middleware portfolio and supports a variety of popular databases. Its last stable release – 12cR2 (22.214.171.124) – dates back to August 2017.
According to the researchers, tens of thousands WebLogic servers can be found across the world, predominantly deployed in the US and China but also in Iran, Germany, India, and so on. How many of these are actually vulnerable is yet unknown.
Although, as they are often deployed in enterprise settings and connected to other enterprise systems, they could also be exploited to steal sensitive data (PII, IP, etc.).
Oracle recently released a Critical Patch Update and the next one is scheduled for July. If the company decides against publishing an out-of-band security update for this flaw, the researchers advise server administrators to keep their machines safe from exploitation by either:
- Finding and deleting wls9_async_response.war, wls-wsat.war and restarting the Weblogic service, or by
- Preventing access to the /_async/* and /wls-wsat/* URL paths via access policy control.
It is expected that attackers will waste no time to start prowling for vulnerable installations and exploting them.
SANS ISC handler Rob VandenBrink pointed out that the root cause of the vulnerability seems to be that the affected WAR components ingest and process all serialized data and have a blacklist of “bad” content.
“What this means to me is that we’re likely to see a number of similar vulnerabilities / attacks crop up over the next while, until Oracle changes this approach,” he added.
UPDATE (3 p.m. PT):
Oracle has released an out-of-band security fix for Oracle Fusion Middleware which addresses this WebLogic vulnerability. The flaw has also been assigned a CVE number: CVE-2019-2725.
The vulnerability is under active exploitation, so if you’re running an Internet-facing WebLogic server, you might want to patch it sooner rather than later.