Oracle WebLogic Affected by Unauthenticated Remote Code Execution Vulnerability (CVE-2019-2725)
Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts.
Update May 3, 2019: The solution section below has been updated to reflect the available Oracle updates, and the mitigation section has been revised for clarity.
Hintergrund
On April 17, China National Vulnerability Database (CNVD) published a security bulletin about an unauthenticated remote command execution (RCE) vulnerability in Oracle WebLogic (CNVD-C-2019-48814). Oracle WebLogic Server is middleware for deploying and administering web applications. An attacker could send a request to a WebLogic Server, which would then reach out to a malicious host to complete the request, opening up the WebLogic server to an RCE attack.
Analyse
Tenable Research has been examining this vulnerability to provide in-depth understanding of the attack and its risk. With public discourse surrounding how this attack works, and how it differs from CVE-2017-10271, Tenable was able to create a working proof of concept (PoC) against a target updated to the latest version of Web Logic server with the latest Oracle CPU applied.
An attacker could send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing the server to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions.
Proof-of-Concept
We have reviewed some of the PoC code in circulation and have demonstrated a modified version of one PoC, which can be seen in the following video:
Lösung
Oracle has released an official fix for this vulnerability and it’s available here.
The following workaround steps are available for customers that are unable to apply the update from Oracle, and both of these steps must be performed:
- Delete the wls9_async_response.war, wls-wsat.war packages from the WebLogic server, and restart the Weblogic service.
- Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server.
In addition, Tenable recommends reviewing your organization’s whitelist for trusted sources on your WebLogic server. At this time, known exploits for this vulnerability require the server to reach out to a malicious host. If that malicious host is not trusted, and does not appear on your organizational whitelist, this can reduce the risk of attack for currently available known exploit methods.
Identifizieren betroffener Systeme
A list of plugins to identify this vulnerability will appear here as they’re released.
Weitere Informationen
Verfolgen Sie die Beiträge des Security Response Team von Tenable in der Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Cybersecurity Snapshot: Find MITRE ATT&CK Complex? Need Help Mapping to It? There’s an App for That!
March 10, 2023Learn about a new tool that streamlines MITRE ATT&CK mapping. Plus, known vulnerabilities remain a major cyber risk – just ask LastPass. Also, discover why SaaS data protection remains difficult. Plus, a look at the U.S. National Cybersecurity Strategy. And much more!
The Ransomware Ecosystem: In Pursuit of Fame and Fortune
July 28, 2022The key players within the ransomware ecosystem, including affiliates and initial access brokers, work together cohesively like a band of musicians, playing their respective parts as they strive for fame and fortune.
Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group
July 20, 2022Having gained the industry’s attention in the first months of 2022, the LAPSUS$ extortion group has largely gone quiet. What can we learn from this extortion group’s story and tactics?
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Threat Intelligence
- Threat Management
- Vulnerability Management
- Vulnerability Scanning