Recently, CNVD exposed a deserialization remote command execution vulnerability (CNVD-C-2019-48814) in WebLogic’s WLS-ASYNC component in its security updates.  The severity level of this vulnerability is rated as high. This vulnerability is caused by the flaws in the WLS9-ASYNC component when deserializing input information. Unauthorized attackers may exploit this vulnerability to send malicious HTTP requests which are carefully crafted to get access to servers and execute remote command.

Sangfor security team responded and sent out alerts immediately and followed up this security event.

Severity: High

Alert WebLogic WLS-ASYNC Deserialization RCE Vulnerability 
Vulnerability Analysis

- About WebLogic

▪ WebLogic is an application server, or a JAVAEE-based middleware components provided by Oracle Corporation. It is used to develop, integrate, deploy and manage distributed Web applications, network applications and database applications.

▪ Many managed large-scale websites  are currently employing Java and Java Enterprise. Weblogic is one of the mainstream Java (J2EE) application servers, and the first commercialized J2EE application server, boasting high scalability, flexibility and reliability.

- Vulnerability Analysis

▪ The vulnerability (CNVD-C-2019-48814) in the component WLS9-ASYNC of WebLogic server allows attackers to input malicious XML data through the path /_async/AsyncResponseService. When incoming data are deserialized on the server, malicious code contained in those data is executed so that attackers can get control over the server.

- Vulnerability Reproduction

▪ Download WebLogic10.3.6.0 on a machine and take it as target. Make the directory /_async/AsyncResponseService open to public.

▪ Input crafted XML data to launch attacks, as shown below:

Alert WebLogic WLS-ASYNC Deserialization RCE Vulnerability 2

Globally, there are over 35,894 WebLogic-based servers are open to the Internet, among which over 10,000 are located in China.

Affected Versions
WebLogic 10.* and


- Sangfor Solutions

Sangfor Security Team  immediately released an update and gained the ability to probe websites for this vulnerability and ensure user security.

For Sangfor NGAF customers, simply update security capabilities and turn on the corresponding security protection feature.

Remediation Solution

▪ Since Oracle has not released official patch for the vulnerability, you can adopt the following measures for temporary protection:

1. Set URL access control policy to block access to the /_async/* directories.

2. Delete the .war file and its related folders and re-launch Weblogic service. Specific /_async/* directories for different versions:

For WebLogic 10.3.*:
▪ \Middleware\wlserver_10.3\server\lib\bea_wls9_async_response.war

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\bea_wls9_async_response\

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\.internal\bea_wls9_async_response.war

For WebLogic 12.1.3:
▪ \Middleware\Oracle_Home\oracle_common\modules\

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\.internal\

▪ %DOMAIN_HOME%\servers\AdminServer\tmp\_WL_internal\




Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Phishing Statistics and How to Prevent Phishing In 2023 

Date : 25 May 2023
Read Now

Cyber Security

The UAE Cybersecurity Council Cautions Against Cyber-Attacks

Date : 11 May 2023
Read Now

Cyber Security

ChatGPT and You - Or I’m No Fool with Weaponized AI

Date : 24 Apr 2023
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
NGAF - Next Generation Firewall (NGFW)
Sangfor Access Secure
icon notification