- Threat Intelligence
- [Alert] WebLogic Java Deserialization Vulnerability (CVE-2018-3245)
[Alert] WebLogic Java Deserialization Vulnerability (CVE-2018-3245)
- Source:SANGFOR Security Center
- Date Published:2018-10-24
Definition From Encyclopedia
WebLogic is an application server, or a JAVAEE-based middleware components provided by Oracle Corporation.It is used to develop, integrate, deploy and manage distributed Web applications, network applications and database applications.
WebLogic Server is based on Java 2 Platform, Enterprise Edition (J2EE), the standard platform used to create Java-based multi-tier enterprise applications. It is the first commercialized application server for building and deploying enterprise Java EE applications in a robust, secure, highly available and scalable environment.
This vulnerability is blamed to WebLogic T3 service, a service that is enabled by default for applications having WebLogic web-access port open. According to the statistics, there are more than 35,382 assets having WebLogic service open to the Internet globally. Those located in China are up to 10,562, as shown in the following figure.
The Oracle WebLogic server is affected by a remote code execution vulnerability in its components due to unsafe deserialization of Java objects by the RMI registry. Unauthenticated attackers may encapsulate payload and transmit it via T3 protocol. Through deserialization of payload in T3 protocol, attackers may launch remote attacks against vulnerable WebLogic component to execute arbitrary code and gain all permissions of target system.
1. Use WebLogic Service in any of the following versions: Oracle WebLogic Server10.3.6.0, Oracle WebLogic Server126.96.36.199, Oracle WebLogic Server188.8.131.52
2. Open WebLogic service port to outside network
3. Open T3 protocol to outside network
Based on these three prerequisites, we have built an environment using WebLogic Server 10.3.6.0,
and CVE-2018-3245 vulnerability is discovered in this environment.
Oracle WebLogic Server10.3.6.0,
Oracle WebLogic Server184.108.40.206,
Oracle WebLogic Server220.127.116.11
Oracle has officially released the October Critical Patch Updates to fix this vulnerability.
(Click on the link https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html to learn more).
For affected and licensed users, please go to https://support.oracle.com and log in with your licensed account to download the patch updates.
Reject T3 connection request from outside the Intranet
Click Security > Filter, in the Connection Filter field on the page and enter
Then, in the Connection Filter Rules filed, enter
127.0.0.1 * * allow t3 t3s，0.0.0.0/0 * * deny t3 t3s
Click Save to save the changes and restart the server to apply changes.
Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security.
For Sangfor NGAF customers, simply turn on the corresponding security protection feature.