Recently, CNVD exposed a deserialization remote command execution vulnerability (CNVD-C-2019-48814) in WebLogic’s WLS-ASYNC component in its security updates. The severity level of this vulnerability is rated as high. This vulnerability is caused by the flaws in the WLS9-ASYNC component when deserializing input information. Unauthorized attackers may exploit this vulnerability to send malicious HTTP requests which are carefully crafted to get access to servers and execute remote command.
Sangfor security team responded and sent out alerts immediately and followed up this security event.
- About WebLogic
▪ WebLogic is an application server, or a JAVAEE-based middleware components provided by Oracle Corporation. It is used to develop, integrate, deploy and manage distributed Web applications, network applications and database applications.
▪ Many managed large-scale websites are currently employing Java and Java Enterprise. Weblogic is one of the mainstream Java (J2EE) application servers, and the first commercialized J2EE application server, boasting high scalability, flexibility and reliability.
- Vulnerability Analysis
▪ The vulnerability (CNVD-C-2019-48814) in the component WLS9-ASYNC of WebLogic server allows attackers to input malicious XML data through the path /_async/AsyncResponseService. When incoming data are deserialized on the server, malicious code contained in those data is executed so that attackers can get control over the server.
- Vulnerability Reproduction
▪ Download WebLogic10.3.6.0 on a machine and take it as target. Make the directory /_async/AsyncResponseService open to public.
▪ Input crafted XML data to launch attacks, as shown below:
Globally, there are over 35,894 WebLogic-based servers are open to the Internet, among which over 10,000 are located in China.
WebLogic 10.* and 18.104.22.168
- Sangfor Solutions
Sangfor Security Team immediately released an update and gained the ability to probe websites for this vulnerability and ensure user security.
For Sangfor NGAF customers, simply update security capabilities and turn on the corresponding security protection feature.
▪ Since Oracle has not released official patch for the vulnerability, you can adopt the following measures for temporary protection:
1. Set URL access control policy to block access to the /_async/* directories.
2. Delete the .war file and its related folders and re-launch Weblogic service. Specific /_async/* directories for different versions:
For WebLogic 10.3.*:
For WebLogic 12.1.3: