Oracle WebLogic RCE Vulnerability

A remote code execution vulnerability in Oracle WebLogic Servers was publicly disclosed on April 17^th, 2019 [1]. A remote attacker could exploit this vulnerability by sending a malicious request to the server, resulting in code execution without authentication. Attacks exploiting this vulnerability have been identified in the wild [2]. Oracle released security patches to address this vulnerability on April 26^th [3]. It is highly recommended that affected WebLogic versions be patched as soon as possible to avoid compromise.

What are we doing about it

• Current esRECON plugins identify this vulnerability
• The eSentire Threat Intelligence Team is monitoring this issue for additional information

What you should do about it

• Test and apply security patches released by Oracle for WebLogic 10.3.6. and WebLogic 12.1.3

Additional information

The current CVE reference for this vulnerability is CVE-2019-2725 [4].

The affected Oracle WebLogic versions are WebLogic 10.X and WebLogic 12.1.3. The vulnerability resides in the wls9_async_response package, included in the certain default WebLogic configurations.

Using data from GreyNoise Intelligence, an increase in scanning activity for port 7001 (the default listening port for Oracle WebLogic) has been observed since April 24^th, 2019. This increase suggests that interest in exposed Oracle WebLogic servers has increased since initial disclosure.

References:

[1] https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

[2]https://isc.sans.edu/forums/diary/Update+about+Weblogic+CVE20192725+Exploits+Used+in+the+Wild+Patch+Status/24890/

[3] https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html#AppendixFMW

[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725