Oracle WebLogic Affected by Unauthenticated Remote Code Execution Vulnerability (CVE-2019-2725)
Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts.
Update May 3, 2019: The solution section below has been updated to reflect the available Oracle updates, and the mitigation section has been revised for clarity.
Background
On April 17, China National Vulnerability Database (CNVD) published a security bulletin about an unauthenticated remote command execution (RCE) vulnerability in Oracle WebLogic (CNVD-C-2019-48814). Oracle WebLogic Server is middleware for deploying and administering web applications. An attacker could send a request to a WebLogic Server, which would then reach out to a malicious host to complete the request, opening up the WebLogic server to an RCE attack.
التحليل
Tenable Research has been examining this vulnerability to provide in-depth understanding of the attack and its risk. With public discourse surrounding how this attack works, and how it differs from CVE-2017-10271, Tenable was able to create a working proof of concept (PoC) against a target updated to the latest version of Web Logic server with the latest Oracle CPU applied.
An attacker could send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing the server to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions.
Proof of concept
We have reviewed some of the PoC code in circulation and have demonstrated a modified version of one PoC, which can be seen in the following video:
Solution
Oracle has released an official fix for this vulnerability and it’s available here.
The following workaround steps are available for customers that are unable to apply the update from Oracle, and both of these steps must be performed:
- Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service.
- Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server.
In addition, Tenable recommends reviewing your organization’s whitelist for trusted sources on your WebLogic server. At this time, known exploits for this vulnerability require the server to reach out to a malicious host. If that malicious host is not trusted, and does not appear on your organizational whitelist, this can reduce the risk of attack for currently available known exploit methods.
Identifying affected systems
A list of plugins to identify this vulnerability will appear here as they’re released.
الحصول على مزيد من المعلومات
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
مقالات ذات صلة
How to Discover, Analyze and Respond to Threats Faster with Generative AI
June 17, 2024Generative AI (GenAI) is being hailed as the most transformative innovation since the rise of the internet. For security, GenAI can revolutionize the field if applied correctly, especially when it comes to threat detection and response. It enhances efficiency and productivity by swiftly processing and delivering critical information when it matters most.
These Services Shall Not Pass: Abusing Service Tags to Bypass Azure Firewall Rules (Customer Action Required)
June 3, 2024Azure customers whose firewall rules rely on Azure Service Tags, pay attention: You could be at risk due to a vulnerability detected by Tenable Research. Here’s what you need to know to determine if you’re affected, and if so, what you should do right away to protect your Azure environment from attackers.
Cybersecurity Snapshot: EPA Urges Water Plants To Boost Cybersecurity, as OpenSSF Launches Threat Intel Platform for Open Source Software
May 24, 2024Check out the EPA’s call for water plants to beef up their cyber defenses. Plus, open source developers have a new platform to share threat intelligence. Moreover, business email compromise attacks prompt alert from U.K.’s cyber agency. And CISA tackles DNS encryption best practices. And much more!
How the regreSSHion Vulnerability Could Impact Your Cloud Environment
July 5, 2024With growing concern over the recently disclosed regreSSHion vulnerability, we’re explaining here what it is, why it’s so significant, what it could mean for your cloud environment and how Tenable Cloud Security can help.
Cybersecurity Snapshot: Malicious Versions of Cobalt Strike Taken Down, While Microsoft Notifies More Orgs About Midnight Blizzard Email Breach
July 5, 2024Check out the results of a multinational operation against illegal instances of Cobalt Strike. Plus, more organizations are learning that Midnight Blizzard accessed their email exchanges with Microsoft. Meanwhile, Carnegie Mellon has a new report about how to fix and mitigate API vulnerabilities. And two new reports shed light on cyber insurance trends. And much more!
Cybersecurity Snapshot: Memory Bugs Pervasive in Open Source SW, While Car Dealership Chaos Persists After Ransomware Attack
June 28, 2024Check out why memory vulnerabilities are widespread in open source projects. Plus, get the latest on the ransomware attack that’s disrupted car sales in North America. In addition, find out why a majority of organizations grew their cyber budgets this year. And learn how confidential data from U.S. chemical facilities may have been accessed by hackers. And much more!
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning