Oracle Weblogic Remote Code Execution Vulnerability Alert (CVE-2019-2725 patch bypassed)

Recently, KnownSec 404 Team found an in-depth exploit for Oracle Weblogic with similar attack characteristics to CVE-2019-2725. This attack can bypass the latest security patches released by Oracle officially in April. Because there is no reasonable filtering when processing deserialized information, an attacker can exploit the vulnerability by sending a carefully crafted malicious HTTP request to gain server privileges and remotely execute arbitrary code without authorization.

Affected version

  • Weblogic 10.3.6.0
  • Weblogic 12.1.3

Solution

At present, Oracle official has not released the latest patch for this bypass.

Temporary Solution

  • Scenario-1:
    Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service
    10.3.*:

    \Middleware\wlserver_10.3\server\lib\
    %DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\
    %DOMAIN_HOME%\servers\AdminServer\tmp\.internal\
    12.1.3:

    \Middleware\Oracle_Home\oracle_common\modules\
    %DOMAIN_HOME%\servers\AdminServer\tmp\.internal\
    %DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\

  • Scenario-2:
    Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control.