Oracle WebLogic Remote Execution Vulnerability (CVE-2019-2729)

  • Source:SANGFOR Security Center
  • Date Published:2019-06-25
#

Summary

WebLogic 

WebLogic is an application server produced by Oracle, which is a middleware based on Java EE architecture. It is used for developing, integrating, deploying and managing large distributed web applications, network applications and database applications.

It brings dynamic features of Java and security of the Java EE standard into development, integration, deployment, and management of large web applications. WebLogic is one of the mainly used J2EE application servers in the market and is also the first to be commercialized. It features scalability, rapid development, flexibility and reliability.

Vulnerability Introduction

The vulnerability (CVE-2019-2729) bypasses the patch for CVE-2019-2725, forming a new approach to exploiting vulnerability. Similar to CVE-2019-2725, CVE-2019-2729 occurs due to a flaw in deserializing inputs. An attacker can gain server privileges for remote code execution by sending a crafted malicious HTTP request. An official patch has been issued for this vulnerability. Affected users are strongly advised to download it as soon as possible to prevent servers from being exposed to risks.

Impacts

Globally, there are over 35,894 WebLogic-based assets available publicly, among which more than 10,000 assets are in China. 

Affected Versions:

Oracle WebLogic 10.3.6

Oracle WebLogic 12.1.3  

Oracle WebLogic 12.2.1.3   

Timeline

4/17/2019  CNVD released a remote code execution vulnerability during WebLogic wls-async deserialization in CNVD-C-2019-48814 and CVE-2019-2725.

4/22/2019  Sangfor security team analyzed and reproduced the vulnerability, and released alerts and solutions.

6/3/2019  Sangfor security team found nonofficial exploitation of Oracle WebLogic remote execution vulnerability (zero-day), reproduced and analyzed the vulnerability, and released alerts and solutions.

6/15/2019   Sangfor security team found a variety of attack variations that show a tendency to spread and issued a second vulnerability alert.

6/18/2019   Oracle released a WebLogic remote execution vulnerability (CVE-2019-2729) and issued a patch for it.

6/19/2019   Sangfor security team released an alert on CVE-2019-2729.

Solution

Sangfor Solutions

Sangfor Security Cloud has updated in the first place and gained the ability to probe websites for this vulnerability and ensure user security. If you are not sure whether your business systems have this vulnerability, sign in to Sangfor Visioner to apply for a 30-day free trial and check security health.

Sign In Here:http://saas.sangfor.com.cn

For Sangfor NGAF customers, simply update the latest security protection feature.

Remediation Solution

Oracle has fixed this vulnerability in Critical Patch Update (CPU): https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html. Affected users should use legitimate software accounts to download the latest patch from the following link: https://support.oracle.com.

You can also use the following methods for temporary repairs:

1. Delete the following two files and related folders and restart the WebLogic service:

wls9_async_response.war files and folders

wls-wsat.war files and folders

File Path:

For version 10.3.*:

\Middleware\wlserver_10.3\server\lib\
%DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\
%DOMAIN_HOME%\servers\AdminServer\tmp\.internal\ 

For version 12.1.3:

\Middleware\Oracle_Home\oracle_common\modules\
%DOMAIN_HOME%\servers\AdminServer\tmp\.internal\
%DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\ 

2. Restrict access to the path /_async/*.