A remote code execution vulnerability in Oracle WebLogic Servers was publicly disclosed on April 17th, 2019 [1]. A remote attacker could exploit this vulnerability by sending a malicious request to the server, resulting in code execution without authentication. Attacks exploiting this vulnerability have been identified in the wild [2]. Oracle released security patches to address this vulnerability on April 26th [3]. It is highly recommended that affected WebLogic versions be patched as soon as possible to avoid compromise.

What are we doing about it

  • Current esRECON plugins identify this vulnerability
  • The eSentire Threat Intelligence Team is monitoring this issue for additional information

What you should do about it

  • Test and apply security patches released by Oracle for WebLogic 10.3.6. and WebLogic 12.1.3

Additional information

The current CVE reference for this vulnerability is CVE-2019-2725 [4].

The affected Oracle WebLogic versions are WebLogic 10.X and WebLogic 12.1.3. The vulnerability resides in the wls9_async_response package, included in the certain default WebLogic configurations.

Using data from GreyNoise Intelligence, an increase in scanning activity for port 7001 (the default listening port for Oracle WebLogic) has been observed since April 24th, 2019. This increase suggests that interest in exposed Oracle WebLogic servers has increased since initial disclosure.

References:

[1] https://medium.com/@knownseczoomeye/knownsec-404-team-oracle-weblogic-deserialization-rce-vulnerability-0day-alert-90dd9a79ae93

[2]https://isc.sans.edu/forums/diary/Update+about+Weblogic+CVE20192725+Exploits+Used+in+the+Wild+Patch+Status/24890/

[3] https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html#AppendixFMW

[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2725

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.