Oracle WebLogic RCE Vulnerability - UPDATE

The Threat

On June 15^th, 2019, security researchers from KnownSec 404 publicly announced that new zero-day attacks against Oracle WebLogic Servers are occurring in the wild [1]. The vulnerability being exploited in these attacks (CVE-2019-2729) allows for remote and unauthenticated code execution on vulnerable Oracle WebLogic servers. As of June 18^th, 2019, Oracle has released security patches to mitigate this vulnerability [2]. It is highly recommended to apply these patches, after a business impact review, to limit the risk of successful exploitation.

What we’re doing about it

• The Threat Intelligence team is monitoring this topic for additional information

What you should do about it

• After performing a business impact review, apply the latest Oracle WebLogic security patches
• If patching is not an option, consider applying KnownSec 404’s temporary solutions
  • Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service OR
  • Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.

Additional information

The vulnerability resides in the XMLDecoder in Oracle WebLogic Server Web Services. Due to the lack of required authentication and the wide number of vulnerable servers, it is highly important to quickly apply security patches.

The threat actors, in this case, appear to have bypassed the Oracle patches released in late April that addressed CVE-2019-2725 [3].

Vulnerable Oracle WebLogic Servers Versions:

• 3.6.0.0
• 1.3.0.0
• 2.1.3.0

References:

[1] https://medium.com/@knownsec404team/knownsec-404-team-alert-again-cve-2019-2725-patch-bypassed-32a6a7b7ca15

[2] https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html?from=groupmessage&isappinstalled=0

[3] https://www.esentire.com/security-advisories/oracle-weblogic-rce-vulnerability/