Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

Oracle WebLogic Affected by Unauthenticated Remote Code Execution Vulnerability (CVE-2019-2725)

$
0
0

Oracle WebLogic is vulnerable to a new deserialization vulnerability that could allow an attacker to execute remote commands on vulnerable hosts.

Background

On April 17, China National Vulnerability Database (CNVD) published a security bulletin about an unauthenticated remote command execution (RCE) vulnerability in Oracle WebLogic (CNVD-C-2019-48814). Oracle WebLogic Server is middleware for deploying and administering web applications. An attacker could send a request to a WebLogic Server, which would then reach out to a malicious host to complete the request, opening up the WebLogic server to an RCE attack.

Analysis

Tenable Research has been examining this vulnerability to provide in-depth understanding of the attack and its risk. With public discourse surrounding how this attack works, and how it differs from CVE-2017-10271, Tenable was able to create a working proof of concept (PoC) against a target updated to the latest version of Web Logic server with the latest Oracle CPU applied.

An attacker could send specially crafted XML requests to a WebLogic server, which then causes the server to execute code instructing the server to reach out to a specific malicious host to complete the request. The WebLogic server then receives another XML response from the malicious host containing additional exploit instructions.

Proof of concept

We have reviewed some of the PoC code in circulation and have demonstrated a modified version of one PoC, which can be seen in the following video:

Solution

Oracle has released an official fix for this vulnerability and it’s available here for WebLogic server 10.3.6, with the fix for 12.1.3 scheduled to release on April 29th 2019. The CNVD listing has also included the following workaround:

  1. Delete the war package from the WebLogic server, and restart the Weblogic service.
  2. Restrict access to, or disable, the “/_async/*” and “/wls-wsat/” URL paths on the WebLogic server.

In addition, Tenable recommends reviewing your organization’s whitelist for trusted sources on your WebLogic server. At this time, known exploits for this vulnerability require the server to reach out to a malicious host. If that malicious host is not trusted, and does not appear on your organizational whitelist, this can reduce the risk of attack for currently available known exploit methods.

Identifying affected systems

A list of plugins to identify this vulnerability will appear here as they’re released.

Get more information 

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.


Viewing all articles
Browse latest Browse all 1935

Trending Articles