Oracle WebLogic Vulnerability actively being exploited in the wild

May 3, 2019

An insecure deserialization vulnerability has been reported in Oracle WebLogic server. This vulnerability is due to insufficient validation of XML data within the body of HTTP POST requests. A remote attacker can exploit this vulnerability without authentication. Successful exploitation can result in arbitrary code execution under the context of the affected server.

Oracle WebLogic is one of the widely used Java application servers. It helps building and deploying distributed enterprise Java EE applications.

Serialization is the process of translating application data such as objects into a binary format that can be stored and reused by the same application or transmitted over the network to be used by another application.

Deserialization is the reverse of that process that takes data structured from some format, and rebuilding it into an object. By running deserialization, we should be able to fully reconstruct the serialized object.

Insecure Deserialization is a vulnerability which occurs when user input data is not sanitized or validated properly . This untrusted user data can be used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary remote code execution upon it being deserialized. Hence attackers craft the serialized data and the attack depends on what the application code does with the data.

CVE-2019-2725:

An insecure deserialization vulnerability has been reported in Oracle WebLogic server. User input is validated to ensure that tags that result in arbitrary method and constructor calls are blacklisted. The <class> tag is not correctly blacklisted. This allows the attacker to initiate any class with arbitrary constructor arguments. Attackers leverage this to achieve arbitrary code execution, by initiating a class object which accepts a byte array as a constructor argument. Upon initialization, the crafted malicious serialized byte array gets deserialized causing arbitrary remote code execution.

Exploit:

The below POST request to Oracle WebLogic server contains a shell code to download and execute a malicious payload on the vulnerable server.

POST / _Async / AsyncResponseService Http / 1.1
Host:x.x.x.x :7001

Fix:

Oracle has released an out-of-band patch that fixes the vulnerability. Please find the vendor advisory regarding this vulnerability: https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 14180 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 1
IPS: 14181 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution 2
IPS: 14186 Oracle WebLogic Server Insecure Deserialization 9
IPS: 14187 Oracle WebLogic Server Insecure Deserialization 8
WAF: 1706 Oracle Weblogic 10.3.6.0.0/12.1.3.0.0 Remote Code Execution

Threat Graph: